need fast parser for comma/space delimited numbers
Moshe Zadka
moshez at math.huji.ac.il
Sun Mar 19 01:05:03 EST 2000
On 18 Mar 2000, Bernhard Herzog wrote:
<about eval>
> It is, of yourse a gaping security hole unless you use rexec.
Sorry to pick on you (I do admire you for Sketch) but this is a common
myth, which is totally untrue. Think about a random program, say, hmmm...
Sketch. I run it from my account. Now say Sketch wants to let me execute
some random Python code -- how is it a security hole? If I wanted to
delete my file system, I'd do it myself. I don't seen Sketch, so I
can type into it __import__("shutil").rmtree('/'), no I can just rm -rf
myself.
Now, most Python programs (certainly most scientific Python programs) are
not run as CGI's and the like, but rather by the user who wants them to
run. So, using eval/exec without rexec is perfectly allright from a
security POV.
The only problem is that you're executing random Python code, which means
you won't be able to understand bug-reports. But that's a reason to use
eval/exec with the optional dictionaries, not for rexec.
My minor rant for today.
Keep Sketching!
--
Moshe Zadka <mzadka at geocities.com>.
http://www.oreilly.com/news/prescod_0300.html
http://www.linux.org.il -- we put the penguin in .com
More information about the Python-list
mailing list