[Python-ideas] Executable space protection: NX bit,

Steven D'Aprano steve at pearwood.info
Tue Sep 4 07:08:54 EDT 2018

On Tue, Sep 04, 2018 at 11:20:40AM +1000, Cameron Simpson wrote:
> On 03Sep2018 20:58, Wes Turner <wes.turner at gmail.com> wrote:
> >So, if an application accepts user-supplied input (such as a JSON payload),
> >is that data marked as non-executable?
> Unless you've hacked the JSON decoder (I think you can supply a custom 
> decoder for some things) all you're doing to get back is ints, strs, dicts 
> and lists.  And floats. None of those is executable.

Strings are executable with exec and eval, but if you're calling exec on 
untrusted strings, you've already lost.


More information about the Python-ideas mailing list