[Python-Dev] Re: Python and Security

[Paul Prescod]

Ka-Ping Yee wrote:
> 
>...
> 
> That said, however, i wonder why security rarely comes up as an
> issue for Python. 

I guess you didn't read comp.lang.python this week. ;)

http://www.securityfocus.com/archive/1/250580

> ... Is it because nobody expects security properties
> from the language?  

Remember that people for a long time thought of Perl as a "CGI
language". And early uses of CGI would probably have depended heavily on
the Perl equivalents of "popen" and "system". Plus, those features are
so easy to get at in the language. Compare:

print `ls`

   versus:

import os

print os.popen("ls").read()

If you were a newbie in each of these languages what are the percentage
chance of you using either of these features versus the list-dir
equivalent. List-dir is available in each language.

> ... Does anyone know how much the restricted
> execution feature gets used?  

I personally would not trust it because I don't know if anyone is
following its progress from one version of Python to another. I also
know that even languages that are designed from scratch to be safe (Java
and JavaScript) have had leaky implemetations so I don't really hold out
much hope for Python until I hear that someone is actively researching
this.

> ... Is there anyone here that would use
> a tainting feature if it existed?

I'd like to think I've internalized taints rules by osmosis...

> (By the way, i'm planning to be at Python 10, and hope to see many
> of you there.  As i'm looking for ways to keep costs down, would
> anyone be interested in splitting the cost of a hotel room in
> exchange for a roommate with a strange hairstyle?  I'll be there
> Feb 4 to 7, three nights.)

Maybe there should be a bulletin board or something for people to find
each other. I think one of the Python conferences had something like
that...for hotels and also to share cabs from the airport.

 Paul Prescod