[Tutor] functions
alan.gauld@bt.com
alan.gauld@bt.com
Tue, 29 Jan 2002 11:03:10 -0000
> This seems important to understand in general too. Is it
> possible for someone to write a module and publish it
Of course that's what's on Useless Python and the
Vaults of Parnassus- lots of published modules that
you can download.
> can come along, download it, and import it -- and then it
> turns out that the module executes some malicious code
> on their system?
Absolutely, caveat emptor.
You should always check and understand modules that you
download.
> would be wise to read the source of anything that you don't know for
> sure about. But if I invoked python (in Unix), wouldn't the Python
> interpreter then inherit my own environment variables,
> therefore being able to perform actions within my account
> that otherwise it would not be able to do?
No the interpreter remains exacrtly the same. But if the module
was malicious it could run under the interpreter and scrape of
a list of valid user IDs for your system and mail them to
somebody say.... or more directly just delete all the files on
your disk!
> I am talking about a Trojan Horse.
No, nothing so subtle. Just malicious code that you naively
downloaded and ran. Its no different to blindly downloading
an EXE from a web site and running it - you just hope it
does what it says on the label. The difference with Python
modules is at least you can read the code!
Alan g.