REPOST: Re: Who needs exceptions (was Re: Two languages, too similar, competing in the same space.)

Roy Smith roy at panix.com
Sun Dec 30 17:14:36 CET 2001


Michael Stroder <michael at stroeder.com> wrote:
> Seriously, I'm sick of all the security announcements regarding
> buffer overflows and such. Not to speak of memory leaks. That's
> stone age.

On the other hand, a language like Python has its own set of potential 
security holes.  I guess the classic would be some variation on 
exec(readline()) or eval(readline()).  Sure, you're never supposed to write 
anything like that, but people do it (exactly the same can be said of not 
checking for buffer overflows in C).

If I was a bad guy looking to hack into machines by spoofing servers 
written in python, I'd throw:

   os.popen ('echo owned::0:0:YouAreOwned:/:/bin/sh >> /etc/passwd')

at every open port I could find and see what happened.  Do it to enough 
machines and you might strike gold eventually.  Would you suggest we 
eliminate eval() and exec() from the language?  Maybe taintPython? :-)

It's also possible to write memory leaks in python.  Consider something 
like:

packetLog = []
while 1:
   request = getPacketFromSocket()
   packetLog.append (request)
   doStuffWithPacket (request)

It's pretty dumb to write something like that, but it certainly is a memory 
leak.

========= WAS CANCELLED BY =======:
Path: news.sol.net!spool1-nwblwi.newsops.execpc.com!newsfeeds.sol.net!news-out.visi.com!hermes.visi.com!news.maxwell.syr.edu!feeder.kornet.net!news1.kornet.net!ua4canc3ll3r
From: Roy Smith <roy at panix.com>
Newsgroups: comp.lang.python
Subject: cmsg cancel <roy-B000F6.11143630122001 at news1.panix.com>
Control: cancel <roy-B000F6.11143630122001 at news1.panix.com>
Date: Mon, 31 Dec 2001 04:00:24 GMT
Organization: A poorly-installed InterNetNews site
Lines: 2
Message-ID: <cancel.roy-B000F6.11143630122001 at news1.panix.com>
NNTP-Posting-Host: 211.57.49.2
X-Trace: news2.kornet.net 1009774193 27193 211.57.49.2 (31 Dec 2001 04:49:53 GMT)
X-Complaints-To: usenet at news2.kornet.net
NNTP-Posting-Date: Mon, 31 Dec 2001 04:49:53 +0000 (UTC)
X-No-Archive: yes
X-Unac4ncel: yes
X-Commentary: I love NewsAgent 1.10 and the Sandblaster Cancel Engine Build 74 (19 March 1999)

This message was cancelled from within Mozilla.



More information about the Python-list mailing list