[Python-ideas] Executable space protection: NX bit,
Steven D'Aprano
steve at pearwood.info
Tue Sep 4 07:08:54 EDT 2018
On Tue, Sep 04, 2018 at 11:20:40AM +1000, Cameron Simpson wrote:
> On 03Sep2018 20:58, Wes Turner <wes.turner at gmail.com> wrote:
> >So, if an application accepts user-supplied input (such as a JSON payload),
> >is that data marked as non-executable?
>
> Unless you've hacked the JSON decoder (I think you can supply a custom
> decoder for some things) all you're doing to get back is ints, strs, dicts
> and lists. And floats. None of those is executable.
Strings are executable with exec and eval, but if you're calling exec on
untrusted strings, you've already lost.
--
Steve
More information about the Python-ideas
mailing list