Why Is Escaping Data Considered So Magical?
Lawrence D'Oliveiro
ldo at geek-central.gen.new_zealand
Tue Jun 29 20:26:11 EDT 2010
In message <slrni2f8v2.j19.grahn+nntp at frailea.sa.invalid>, Jorgen Grahn
wrote:
> On Sat, 2010-06-26, Lawrence D'Oliveiro wrote:
>
>> In message <slrni297ec.1m5.grahn+nntp at frailea.sa.invalid>, Jorgen Grahn
>> wrote:
>>
>>> I thought it was well-known that the solution is *not* to try to
>>> sanitize the input -- it's to switch to an interface which doesn't
>>> involve generating an intermediate executable. In the Python example,
>>> that would be something like os.popen2(['zcat', '-f', '--', untrusted]).
>>
>> That’s what I mean. Why do people consider input sanitization so hard?
>
> I'm not sure you understood me correctly, because I advocate
> *not* doing input sanitization. Hard or not -- I don't want to know,
> because I don't want to do it.
But no-one has yet managed to come up with an alternative that involves less
work.
More information about the Python-list
mailing list