[Tutor] executing a string representing python code
Luke Paireepinart
rabidpoobear at gmail.com
Tue Mar 6 20:22:53 CET 2007
Cecilia Alm wrote:
> Hm, I'm not sure I see your point. Could an evil hacker not just as
> easily change the dictionary in the python code (or somewhere else in
> the code) to perform such evil operations?
Not too easily, if the code were distributed as .pycs. However, running
code you read in from a plain text file, they could change easily.
HTH,
-Luke
>
> --C
>
> 2007/3/5, ALAN GAULD <alan.gauld at btinternet.com
> <mailto:alan.gauld at btinternet.com>>:
>
> > That's neat. When just the function call is the string,
> > eval() seems appropriate. (For example, if reading what
> > function to call from a file.)
>
> Its conventient but incredibly dangerous.
> Its much better in that case to create a dictionary of allowed
> (ie safe!) functions that can vbe read and then look that up
> from the file input.
>
> Otherwise anyone who can access the file (legitimately or
> otherwise) can start calling any of the standard Python functions,
> including os.unlink() to delete files, or even os.system(), to do
> just about anything - howsabout formatting your disk?
>
> ok_funks = {
> 'some_func' : some_func,
> 'another_func': another_func,
> 'some_fancy_name': sys.exit
> }
>
> func = raw_input('type a function name>')
> try: ok_funks[func']()
> except: print 'Thats not a valid function'
>
> eval and exec are seductively powerful but they are immensely
> dangerous in a world of crackers and virus makers. They should
> only ever be used in strictly controlled scebnarios and even then
> as a last resort.
>
> HTH,
>
> Alan G.
>
> ------------------------------------------------------------------------
> The all-new Yahoo! Mail
> <http://us.rd.yahoo.com/mail/uk/taglines/default/nowyoucan/free_from_isp/*http://us.rd.yahoo.com/evt=40565/*http://uk.docs.yahoo.com/nowyoucan.html>
> goes wherever you go - free your email address from your Internet
> provider.
>
>
>
>
> --
> E. Cecilia Alm
> Graduate student, Dept. of Linguistics, UIUC
> Office: 2013 Beckman Institute
> ------------------------------------------------------------------------
>
> _______________________________________________
> Tutor maillist - Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor
>
More information about the Tutor
mailing list