[Python-3000] PEP 3131 accepted

Ian D. Bollinger ian.bollinger at gmail.com
Wed May 23 12:03:43 CEST 2007

Ka-Ping Yee wrote:
>     2.  Python will become vulnerable to a new class of security
>         exploits via the writing of misleading or malicious code
>         that is visually indistinguishable from correct code.
>         Consequently it will be more difficult for humans to
>         inspect code and assure its correctness or trustworthiness.
>         There is very little established best practice for
>         addressing homograph security issues.
Isn't it already easy enough to do that today?

 >>> import base64; exec 
... Hello, world!

Admittedly, you could look for anything like that and be suspicious, but
running a program from an untrusted source is always going to be
dangerous.  For standalone applications, you can already do things like
compile malicious C extension modules that are impossible to verify.

As for programs that use Python for scripting, shouldn't it be up to
them to ensure that it runs in a restricted environment?  A browser, for
instance, would have to do that already.

- Ian D. Bollinger

More information about the Python-3000 mailing list