Untrusted code execution
Chris Angelico
rosuav at gmail.com
Tue Apr 5 22:44:52 EDT 2016
On Wed, Apr 6, 2016 at 11:43 AM, Steven D'Aprano <steve at pearwood.info> wrote:
> Look at what you've done: you've restricted the entire world of Python down
> to, effectively, a calculator and a few string methods. That's not to say
> that a calculator and a few string methods won't be useful to someone, but
> the next Javascript it is not...
It most certainly is useful. Want a calculator? Restrict the character
set to "0123456789+-/*() " (or if you prefer: ensure that it matches
"^[-+/*0-9 ()]*$") and then eval it. AFAIK you can't attack anything
with just those characters (again, aside from DOSing by ridiculous
exponentiation). Plenty of places I've used that kind of thing, but
yeah, the next JS it is not.
ChrisA
More information about the Python-list
mailing list