input() is a security problem? (more)
Adonis
deltapigz at telocity.com
Mon Jun 4 20:17:07 EDT 2001
*im a newbie so go easy on me if you know etc. or have better ways; just
want to comment*
found another problem with input() user can force listing of
variables/modules:
>>> test = input('Command ')
Command dir()
>>> test
['__builtins__', '__doc__', '__name__', 'myinput', 'mypass', 'n', 'p', 'x']
then as Dan pointed out before, this the user can now use input() to view
variables such as passwords/usernames etc.
as well as execute module commands:
>>> test = input('Command ')
Command sys.platform
>>> test
'win32'
raw_input() on the other hand is not afected by this; which couldbe an
alternate or use the sys.stdin.readline() as stated by Dan
Adonis
Dan Stromberg wrote:
> In the following program:
>
> #!/dcs/packages/python-2.1/bin/python
>
> var=12345
>
> n=input('enter a number, or a variable name like "var": ')
>
> print n
>
> If one enters "var" at the prompt, one sees 12345.
>
> This seems to be a problem for setuid python scripts that may have
> access to data, stored in variables, that the user isn't supposed to
> be able to see.
>
> Yes, I know, use sys.stdin.readline() instead. I do. But... is
> there really a good reason for input to access variables this way? It
> seems an unnecessary pitfall.
> --
> Dan Stromberg UCI/NACS/DCS
More information about the Python-list
mailing list