[Python-3000] PEP 3131 accepted
Ian D. Bollinger
ian.bollinger at gmail.com
Wed May 23 12:03:43 CEST 2007
Ka-Ping Yee wrote:
> 2. Python will become vulnerable to a new class of security
> exploits via the writing of misleading or malicious code
> that is visually indistinguishable from correct code.
> Consequently it will be more difficult for humans to
> inspect code and assure its correctness or trustworthiness.
> There is very little established best practice for
> addressing homograph security issues.
>
Isn't it already easy enough to do that today?
>>> import base64; exec
base64.decodestring('cHJpbnQgJ0hlbGxvLCB3b3JsZCEn\n')
... Hello, world!
Admittedly, you could look for anything like that and be suspicious, but
running a program from an untrusted source is always going to be
dangerous. For standalone applications, you can already do things like
compile malicious C extension modules that are impossible to verify.
As for programs that use Python for scripting, shouldn't it be up to
them to ensure that it runs in a restricted environment? A browser, for
instance, would have to do that already.
- Ian D. Bollinger
More information about the Python-3000
mailing list