input() is a security problem?

Dan Stromberg strombrg at seki.acs.uci.edu
Mon Jun 4 23:58:03 CEST 2001


In the following program:

#!/dcs/packages/python-2.1/bin/python

var=12345

n=input('enter a number, or a variable name like "var": ')

print n



If one enters "var" at the prompt, one sees 12345.

This seems to be a problem for setuid python scripts that may have
access to data, stored in variables, that the user isn't supposed to
be able to see.

Yes, I know, use sys.stdin.readline() instead.  I do.  But...  is
there really a good reason for input to access variables this way?  It
seems an unnecessary pitfall.
-- 
Dan Stromberg                                               UCI/NACS/DCS



More information about the Python-list mailing list