Untrusted code execution
Jon Ribbens
jon+usenet at unequivocal.co.uk
Tue Apr 5 13:40:37 EDT 2016
On 2016-04-05, Chris Angelico <rosuav at gmail.com> wrote:
> On Wed, Apr 6, 2016 at 12:50 AM, Ian Kelly <ian.g.kelly at gmail.com> wrote:
>> Same here, although it looks to me like this approach could work. Or
>> I'm just not clever enough to see how it could be exploited.
>
> Having been bitten in the past (our test box was compromised by
> python-list white hats within 20 minutes of the invitation being sent
> out), I would go with the second of your options. Nearly anything is
> vulnerable if it's permitted to execute arbitrary code; all it takes
> is a sufficiently smart operator.
I am inviting sufficiently smart operators to demonstrate the flaw in
my suggested code ;-)
More information about the Python-list
mailing list