[Tutor] IndexError: list index out of range

Steven D'Aprano steve at pearwood.info
Sat Nov 30 03:23:15 CET 2013 

On Fri, Nov 29, 2013 at 08:17:54PM -0500, richard kappler wrote:
> I have a script that makes use of the Google speech recognition API as
> follows:
[...]
> args = shlex.split(cmd)
> output,error = subprocess.Popen(args,stdout = subprocess.PIPE, stderr=
> subprocess.PIPE).communicate()
> 
> if not error:
> a = eval(output)

A trivial typo here: the line a = eval(output) needs to be indented.

More importantly though, this is quite risky. You're downloading data 
from the internet, then executing it as code. I really, really, really 
hope you trust the source of that data. By eval()ing their code, you 
give them complete and total control of your PC -- anything you can do, 
they can do.

It's not just *them* that you have to trust, but anyone in the world who 
manages to compromise their server or the communication channel between 
them and you.

How safe do you feel?


> ERROR:
> Traceback (most recent call last):
>   File "inga.py", line 146, in <module>
>     confidence= a['hypotheses'][0]['confidence']
> IndexError: list index out of range
> 
> If I understand it correctly, the traceback is telling me that there is no
> position [0] in my list, but I don't understand how that can be true. I'm
> not using the variable "confidence" anywhere else in the program.

It's not "confidence" that has no position 0, but a['hypotheses'], 
whatever that is.

Start by printing a['hypotheses'] and seeing what it contains. My guess 
is that it probably contains an empty list, [].

Here's another reason for avoiding eval(). Presumably a['hypotheses'] is 
set by the code you download and then eval. That makes it completely 
opaque -- you can't easily see what it is doing, and if it plays up, you 
can't do anything about it. It's a complete black box that either works 
or doesn't work.

What can we do about this? Well, if using eval() really is the only way 
to do this, I'd say the risk is not worth it. That sort of gung-ho 
attitude to security suggests that it's only a matter of time before the 
source is hacked, and once they're hacked, anyone using it is vulnerable 
too.

[Aside: This sort of crap really makes me angry -- code injection 
vulnerabilities are one of the most common ways that viruses, spyware 
and other malware get into people's computers, and Google should know 
better than this. If Google actually recommend you use eval() to access 
their service, that just demonstrates that the Speech Recognition team 
don't give a monkey's toss for your security.]

In the meantime, you can start by printing the code before eval()'ing 
it. That way at least we can see what it's supposed to be getting. Go 
back to the lines:

if not error:
    a = eval(output)

and change the block to:

    print(output)
    a = eval(output)  # WARNING WARNING DANGER DANGER
    print(a)


and then we can see what the code was supposed to do and what it 
actually did. My guess is that it was working before, but you've 
exceeded some limit on the number of requests per day, or possibly the 
speech recognition can't make out any words so it just returns an empty 
list.


[soapbox] 
This is not aimed at you, you're a beginner and can be excused. But the 
Google techs have NO EXCUSE.  I am so effing sick of coders in the 21st 
century who have no effing clue about even the most common-sense basics 
of security. No wonder there are so many malware and viruses around. 
Using eval here is like posting the keys to your house to some arbitrary 
tradesperson you've never met with instructions "I'll be away all next 
week, come around whenever you like and do whatever jobs you think need 
doing." You damn well better trust them, AND the post office.



-- 
Steven

More information about the Tutor mailing list