Security implications of using open() on untrusted strings.
Jorgen Grahn
grahn+nntp at snipabacken.se
Wed Nov 26 09:00:06 EST 2008
On Tue, 25 Nov 2008 23:37:25 +0100, News123 <news123 at free.fr> wrote:
> Jorgen Grahn wrote:
>> Compare with a language (does Perl allow this?) where if the string
>> is "rm -rf /|", open will run "rm -rf /" and start reading its output.
>> *That* interface would have been
> Good example. (for perl):
I should actually have removed that paragraph from my posting.
I was about to write "*That* interface would have been dangerous!" but
then I thought "Hm, isn't the user supposed to be in control of that
string, and isn't it his fault if he enters '-rm -rf |', just as if
he entered the name of his most valuable file?"
I don't know ...
> The problem doesn't exist in python
> open("rm -rf / |") would try to open a file with exactly that name and
> it would fail if it doesn't exist.
>
> In perl the perl script author has the choice to be safe (three argument
> open) or to allow stupid or nice things with a two argument open.
...
> Sometimes I miss the 'dangerous variation' in python and I explicitely
> add code in python that the filename '-' will be treated as stdin for
> files to be read and as stdout for files to be written to
That's something I frequently do, too. And I see no harm in it, if I
document it and people expect it (for those who don't know, reserving
'-' for this is a Unix tradition).
/Jorgen
--
// Jorgen Grahn <grahn@ Ph'nglui mglw'nafh Cthulhu
\X/ snipabacken.se> R'lyeh wgah'nagl fhtagn!
More information about the Python-list
mailing list