[Tutor] Security [Was: Re: Decoding]
Kent Johnson
kent37 at tds.net
Mon Aug 13 16:28:07 CEST 2007
bhaaluu wrote:
> The original poster posted a post with the following function:
> def dec():
> import string
> message=raw_input("Enter the message to decode: ")
> result=''
> for x in string.split(message):
> result=result+chr(eval(x))
> return result
>
> print dec()
> which is from the book:
> "Python programming: An introduction to CS" by John M. Zelle.
>
> As a Python Noob, I'm obviously ignorant of most of the Python
> language, but I wonder why the author of a book would include
> a function that is a "gaping security hole," when the int() function
> would do the job just as nicely, and without the security concerns?
I can't answer for Mr Zelle. Looking at the book, he introduces int(),
float() and long() shortly after the section containing the above example.
>
> Of course, I don't know what context the snippet is in because I
> don't have a copy of the book in question. But as a Python Noob,
> I really do appreciate your heads-up about eval(), and I have it
> red-flagged as a 'gaping security' concern, and will use it with
> extreme caution in the future. =)
Good. There is almost always a better way to accomplish a task than to
use eval().
> Now for MY question: Besides eval(), are there other functions that
> should be 'red-flagged' as well? I just haven't been around Python
> long enough yet to become familiar with all of the Standard Library.
> Correct me if I'm wrong, but with 29 keywords, and over 176 library
> functions, Python weighs-in at over 200 Standard "objects"?
Anything where user input is executed as code is a security hole and
should never be opened to untrusted users.
eval()
exec
execfile()
come to mind.
Kent
More information about the Tutor
mailing list