On Thu, Jul 26, 2012 at 4:20 AM, vinay.sajip wrote:

+ .. note:: Because portions of the configuration are passed through + :func:`eval`, use of this function may open its users to a security risk. + While the function only binds to a socket on ``localhost``, and so does + not accept connections from remote machines, there are scenarios where + untrusted code could be run under the account of the process which calls + :func:`listen`. Specifically, if the process calling :func:`listen` runs + on a multi-user machine where users cannot trust each other, then a + malicious user could arrange to run essentially arbitrary code in a + victim user's process, simply by connecting to the victim's + :func:`listen` socket and sending a configuration which runs whatever + code the attacker wants to have executed in the victim's process. This is + especially easy to do if the default port is used, but not hard even if a + different port is used).

Looking at PEP 391, it appears it should be possible to replace the current use of eval() with a combination of the much safer ast.literal_eval() and the str.format attribute/item access micro-language. Worth exploring for 3.4 (http://bugs.python.org/issue15452), as it would be better to actually try to close this attack vector rather than just documenting that it exists. Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia