[Tutor] Security and Reliability of Python
Danny Yoo
dyoo at hashcollision.org
Fri Jul 25 06:46:58 CEST 2014
> Python is only as secure as the code *you* write. If you write code
> where you accept text from untrusted people over the Internet and then
> execute it as code using eval() or exec(), then your code is vulnerable
> to code injection attacks. The solution to this is simple: don't use
> eval() or exec() on untrusted data. There is hardly ever a need to use
> eval() or exec() in your own code. In 15 years, I've only used them a
> handful of times, and then mostly for experiments.
And we have to fight the good fight. There are people out there who
think that eval() is fine to teach to beginners. I do not understand
why. As a concrete example that I came across today:
https://plus.google.com/111222510165686226339/posts/jQrn9vkGxHA
Such teaching makes me very sad. We have to really fight this hard to
keep people from writing dangerous code. It's a bit frustrating
because the teacher there obviously knows enough to be dangerous, yet
not enough to be respectfully cautious.
More information about the Tutor
mailing list