[Tutor] executing a string representing python code

Luke Paireepinart rabidpoobear at gmail.com
Tue Mar 6 20:22:53 CET 2007 

Cecilia Alm wrote:
> Hm, I'm not sure I see your point. Could an evil hacker not just as 
> easily change the dictionary in the python code (or somewhere else in 
> the code) to perform such evil operations?
Not too easily, if the code were distributed as .pycs.  However, running 
code you read in from a plain text file, they could change easily.
HTH,
-Luke
>
> --C
>
> 2007/3/5, ALAN GAULD <alan.gauld at btinternet.com 
> <mailto:alan.gauld at btinternet.com>>:
>
>     > That's neat. When just the function call is the string,
>     > eval() seems appropriate. (For example, if reading what
>     > function to call from a file.)
>
>     Its conventient but incredibly dangerous.
>     Its much better in that case to create a dictionary of allowed
>     (ie safe!) functions that can vbe read and then look that up
>     from the file input.
>
>     Otherwise anyone who can access the file (legitimately or
>     otherwise) can start calling any of the standard Python functions,
>     including os.unlink() to delete files, or even os.system(), to do
>     just about anything - howsabout formatting your disk?
>
>     ok_funks = {
>           'some_func' : some_func,
>           'another_func': another_func,
>           'some_fancy_name': sys.exit
>     }
>
>     func = raw_input('type a function name>')
>     try: ok_funks[func']()
>     except: print 'Thats not a valid function'
>
>     eval and exec are seductively powerful but they are immensely
>     dangerous in a world of crackers and virus makers. They should
>     only ever be used in strictly controlled scebnarios and even then
>     as a last resort.
>
>     HTH,
>
>     Alan G.
>
>     ------------------------------------------------------------------------
>     The all-new Yahoo! Mail
>     <http://us.rd.yahoo.com/mail/uk/taglines/default/nowyoucan/free_from_isp/*http://us.rd.yahoo.com/evt=40565/*http://uk.docs.yahoo.com/nowyoucan.html>
>     goes wherever you go - free your email address from your Internet
>     provider.
>
>
>
>
> -- 
> E. Cecilia Alm
> Graduate student, Dept. of Linguistics, UIUC
> Office: 2013 Beckman Institute
> ------------------------------------------------------------------------
>
> _______________________________________________
> Tutor maillist  -  Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor
>

More information about the Tutor mailing list