[Tutor] Security [Was: Re: Decoding]

bhaaluu bhaaluu at gmail.com
Mon Aug 13 13:57:38 CEST 2007 

Greetings,

On 8/12/07, Kent Johnson <kent37 at tds.net> wrote:
> bhaaluu wrote:
> >
> >>>> print chr(eval('65'))
> > A
>
> There is no need to use eval() here. Since the expected values are
> integers, just use int():
> In [6]: chr(int('65'))
> Out[6]: 'A'
>
> This gives a clearer error message when the input is not as expected:
> In [7]: chr(int('How'))
> ------------------------------------------------------------
> Traceback (most recent call last):
>    File "<ipython console>", line 1, in <module>
> <type 'exceptions.ValueError'>: invalid literal for int() with base 10:
> 'How'
>
> In general it's a good idea to avoid using eval() especially with user
> input, it is a gaping security hole.
>
> Kent

The original poster posted a post with the following function:
        def dec():
            import string
            message=raw_input("Enter the message to decode: ")
            result=''
            for x in string.split(message):
                result=result+chr(eval(x))
            return result

        print dec()
which is from the book:
"Python programming: An introduction to CS" by John M. Zelle.

As a Python Noob, I'm obviously ignorant of most of the Python
language, but I wonder why the author of a book would include
a function that is a "gaping security hole," when the int() function
would do the job just as nicely, and without the security concerns?

Of course, I don't know what context the snippet is in because I
don't have a copy of the book in question. But as a Python Noob,
I really do appreciate your heads-up about eval(), and I have it
red-flagged as a 'gaping security' concern, and will use it with
extreme caution in the future. =)

Now for MY question: Besides eval(), are there other functions that
should be 'red-flagged' as well? I just haven't been around Python
long enough yet to become familiar with all of the Standard Library.
Correct me if I'm wrong, but with 29 keywords, and over 176 library
functions, Python weighs-in at over 200 Standard "objects"?

Cheers! =)
-- 
bhaaluu at gmail dot com

More information about the Tutor mailing list