[Tutor] Security [Was: Re: Decoding]
Kent Johnson
kent37 at tds.net
Mon Aug 13 22:53:16 CEST 2007
Michael Sparks wrote:
>> Anything where user input is executed as code is a security hole and
>> should never be opened to untrusted users.
>
> foo = raw_input(...)
> x = eval(foo)
>
> Is an exception, in almost[*] every scenario I can think of. (and is the
> context eval was being used as far as I can see without reading the whole
> thread)
>
> Why? Because if they can type on the keyboard of a machine that's running
> raw_input they have the ability to do far more damage that way than any
> other. (ability to use a real sledgehammer on the machine springs to mind
> :-)
Hmm...could be a remote connection such as ssh, which precludes the
sledgehammer though probably not the sort of mischief you can get into
with eval()...perhaps there are untrusted remote connections where
eval() would still be a significant risk, I don't know...
Kent
More information about the Tutor
mailing list