Security implications of using open() on untrusted strings.

Jorgen Grahn grahn+nntp at snipabacken.se
Wed Nov 26 09:00:06 EST 2008


On Tue, 25 Nov 2008 23:37:25 +0100, News123 <news123 at free.fr> wrote:
> Jorgen Grahn wrote:
>>   Compare with a language (does Perl allow this?) where if the string
>>   is "rm -rf /|", open will run "rm -rf /" and start reading its output.
>>   *That* interface would have been 

> Good example. (for perl):

I should actually have removed that paragraph from my posting.
I was about to write "*That* interface would have been dangerous!" but
then I thought "Hm, isn't the user supposed to be in control of that
string, and isn't it his fault if he enters '-rm -rf |', just as if
he entered the name of his most valuable file?"

I don't know ...

> The problem doesn't exist in python
> open("rm -rf / |") would try to open a file with exactly that name and
> it would fail if it doesn't exist.
>
> In perl the perl script author has the choice to be safe (three argument
> open) or to allow stupid or nice things with a two argument open.

...

> Sometimes I miss the 'dangerous variation' in python and I explicitely
> add code in python that the filename '-' will be treated as stdin for
> files to be read and as stdout for files to be written to

That's something I frequently do, too. And I see no harm in it, if I
document it and people expect it (for those who don't know, reserving
'-' for this is a Unix tradition).

/Jorgen

-- 
  // Jorgen Grahn <grahn@        Ph'nglui mglw'nafh Cthulhu
\X/     snipabacken.se>          R'lyeh wgah'nagl fhtagn!



More information about the Python-list mailing list