Who needs exceptions (was Re: Two languages, too similar, competing in the same space.)
Roy Smith
roy at panix.com
Sun Dec 30 11:14:36 EST 2001
Michael Stroder <michael at stroeder.com> wrote:
> Seriously, I'm sick of all the security announcements regarding
> buffer overflows and such. Not to speak of memory leaks. That's
> stone age.
On the other hand, a language like Python has its own set of potential
security holes. I guess the classic would be some variation on
exec(readline()) or eval(readline()). Sure, you're never supposed to write
anything like that, but people do it (exactly the same can be said of not
checking for buffer overflows in C).
If I was a bad guy looking to hack into machines by spoofing servers
written in python, I'd throw:
os.popen ('echo owned::0:0:YouAreOwned:/:/bin/sh >> /etc/passwd')
at every open port I could find and see what happened. Do it to enough
machines and you might strike gold eventually. Would you suggest we
eliminate eval() and exec() from the language? Maybe taintPython? :-)
It's also possible to write memory leaks in python. Consider something
like:
packetLog = []
while 1:
request = getPacketFromSocket()
packetLog.append (request)
doStuffWithPacket (request)
It's pretty dumb to write something like that, but it certainly is a memory
leak.
More information about the Python-list
mailing list