[Tutor] Security and Reliability of Python
Dave Angel
davea at davea.name
Fri Jul 25 11:46:41 CEST 2014
Danny Yoo <dyoo at hashcollision.org> Wrote in message:
> > Python is only as secure as the code *you* write. If you write code
>> where you accept text from untrusted people over the Internet and then
>> execute it as code using eval() or exec(), then your code is vulnerable
>> to code injection attacks. The solution to this is simple: don't use
>> eval() or exec() on untrusted data. There is hardly ever a need to use
>> eval() or exec() in your own code. In 15 years, I've only used them a
>> handful of times, and then mostly for experiments.
>
>
> And we have to fight the good fight. There are people out there who
> think that eval() is fine to teach to beginners. I do not understand
> why. As a concrete example that I came across today:
>
> https://plus.google.com/111222510165686226339/posts/jQrn9vkGxHA
>
> Such teaching makes me very sad. We have to really fight this hard to
> keep people from writing dangerous code. It's a bit frustrating
> because the teacher there obviously knows enough to be dangerous, yet
> not enough to be respectfully cautious.
> _______________________________________________
> Tutor maillist - Tutor at python.org
> To unsubscribe or change subscription options:
> https://mail.python.org/mailman/listinfo/tutor
>
>
I tried to leave the following comment on that site, but cannot
figure how to use Google+ from a tablet. I left it somewhere,
but apparently not on that page.
Why not introduce ast.literal-eval () ?
It's a whole lot safer than eval ()
--
DaveA
More information about the Tutor
mailing list