REPOST: Re: Who needs exceptions (was Re: Two languages, too similar, competing in the same space.)

Roy Smith roy at
Sun Dec 30 17:14:36 CET 2001

Michael Stroder <michael at> wrote:
> Seriously, I'm sick of all the security announcements regarding
> buffer overflows and such. Not to speak of memory leaks. That's
> stone age.

On the other hand, a language like Python has its own set of potential 
security holes.  I guess the classic would be some variation on 
exec(readline()) or eval(readline()).  Sure, you're never supposed to write 
anything like that, but people do it (exactly the same can be said of not 
checking for buffer overflows in C).

If I was a bad guy looking to hack into machines by spoofing servers 
written in python, I'd throw:

   os.popen ('echo owned::0:0:YouAreOwned:/:/bin/sh >> /etc/passwd')

at every open port I could find and see what happened.  Do it to enough 
machines and you might strike gold eventually.  Would you suggest we 
eliminate eval() and exec() from the language?  Maybe taintPython? :-)

It's also possible to write memory leaks in python.  Consider something 

packetLog = []
while 1:
   request = getPacketFromSocket()
   packetLog.append (request)
   doStuffWithPacket (request)

It's pretty dumb to write something like that, but it certainly is a memory 

========= WAS CANCELLED BY =======:
From: Roy Smith <roy at>
Newsgroups: comp.lang.python
Subject: cmsg cancel <roy-B000F6.11143630122001 at>
Control: cancel <roy-B000F6.11143630122001 at>
Date: Mon, 31 Dec 2001 04:00:24 GMT
Organization: A poorly-installed InterNetNews site
Lines: 2
Message-ID: <cancel.roy-B000F6.11143630122001 at>
X-Trace: 1009774193 27193 (31 Dec 2001 04:49:53 GMT)
X-Complaints-To: usenet at
NNTP-Posting-Date: Mon, 31 Dec 2001 04:49:53 +0000 (UTC)
X-No-Archive: yes
X-Unac4ncel: yes
X-Commentary: I love NewsAgent 1.10 and the Sandblaster Cancel Engine Build 74 (19 March 1999)

This message was cancelled from within Mozilla.

More information about the Python-list mailing list