Untrusted code execution
Chris Angelico
rosuav at gmail.com
Tue Apr 5 13:12:07 EDT 2016
On Wed, Apr 6, 2016 at 12:50 AM, Ian Kelly <ian.g.kelly at gmail.com> wrote:
> Same here, although it looks to me like this approach could work. Or
> I'm just not clever enough to see how it could be exploited.
Having been bitten in the past (our test box was compromised by
python-list white hats within 20 minutes of the invitation being sent
out), I would go with the second of your options. Nearly anything is
vulnerable if it's permitted to execute arbitrary code; all it takes
is a sufficiently smart operator.
ChrisA
More information about the Python-list
mailing list