[Python-ideas] List Revolution
Devin Jeanpierre
jeanpierreda at gmail.com
Sat Sep 10 21:37:26 CEST 2011
> Not in this example. So why not?
Yes it did in this example. You introduced a vulnerability in your
first attempt, and it was found by somebody else. eval makes
accidental vulnerabilities way easier than they should be, even for
people that are trying to be careful. Even your modified version had
something that in some circumstances would be DoS-attackable because
your verification still allowed for unintended operations.
But yeah, if you can guarantee that there won't be any ill-effects
from using eval, _of course_ it's OK. The problem is that these
guarantees are too easy to get wrong, or to forget, or to
misunderstand.
Devin
On Sat, Sep 10, 2011 at 3:27 PM, Massimo Di Pierro
<massimo.dipierro at gmail.com> wrote:
> On Sep 10, 2011, at 2:22 PM, Matt Billenstein wrote:
>
>> On Sat, Sep 10, 2011 at 02:14:13PM -0500, Massimo Di Pierro wrote:
>>> Not to open a can of worms but why not use eval in this example?
>>> It is faster. It is 5x more compact. It allows me to take advantage of the
>>> Python parser instead of reinventing the wheel. It is less error prone and
>>> easier to understand. It is a python keyword.
>>
>> I wouldn't worry too much about the implementation details of a clearly insane
>> idea...
>
> agreed
>
>> And eval generally has high "code-smell" -- it can lead to code injection exploits.
>
> Not in this example. So why not?
> Any code can introduce vulnerabilities if incorrect.
>
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> http://mail.python.org/mailman/listinfo/python-ideas
>
More information about the Python-ideas
mailing list