Create a .lua fle from Python

[jmp]

On 10/01/2015 09:12 PM, Steven D'Aprano wrote:
> On Wed, 30 Sep 2015 07:21 pm, jmp wrote:
>
>>> Is Ariel's xml file user-supplied? If so, how does your suggestion
>>> prevent the resulting lua script from executing arbitrary code?
>>
>> It does not. Like it doesn't fulfill the millions of possible
>> requirements the OP could have written but did not. What if the OP want
>> a thread safe, super fast, multi core solution distributed on multiple
>> remote hosts ?
>
> Then he should have said so.
>
> We are not *required* to guess every last requirement that somebody might
> have but didn't mention. But we do have a professional[1] duty of care to
> warn an *obvious beginner* that he may be introducing a serious security
> vulnerability into his code.

I agree with you and to some extend to Peter's answer, my solution is 
not safe but note that I didn't mean it to be nor did I claimed it was safe.

What I disagree with, is the suggestion that I should provide a safe 
version of my solution, just in case the OP forgot to mention that he 
was going public with his application while a simple "beware this 
solution is not safe" would have sufficed.

Safety is like speed optimization, you care about it only when it can be 
a problem. And the vast majority (there's a recent trolling thread about 
the equivalent percentage of vast majority if you want to have fun) of 
python code may run on trusted networks. Meaning it's probable you are 
wrong when assuming security of a python snippet is a concern.


JM

Note : becoming public on the internet is not even enough for security 
to be a concern. Consider the OP's request, someone around the world 
would need to be willing to hack into the OP's server, guess/find out 
that the xml is able to execute lua and then attack the server for a 
reason yet to be known. If the OP's name is google, yeah someone will 
want to do that. If you're a complete anonymous...