input() is a security problem?

Remco Gerlich scarblac at pino.selwerd.nl
Tue Jun 5 10:38:18 CEST 2001


Dan Stromberg <strombrg at seki.acs.uci.edu> wrote in comp.lang.python:
> 
> In the following program:
> 
> #!/dcs/packages/python-2.1/bin/python
> 
> var=12345
> 
> n=input('enter a number, or a variable name like "var": ')
> 
> print n
> 
> 
> 
> If one enters "var" at the prompt, one sees 12345.
> 
> This seems to be a problem for setuid python scripts that may have
> access to data, stored in variables, that the user isn't supposed to
> be able to see.
> 
> Yes, I know, use sys.stdin.readline() instead.  I do.  But...  is
> there really a good reason for input to access variables this way?  It
> seems an unnecessary pitfall.

That's what input() does - take input and eval() it. You could pass it 

Enter a number: __import__("os").system("rm -rf /")

So use raw_input() in most cases. And don't make setuid scripts, there are
other security problems with that (the file might change while the kernel is
calling the interpreter from the #! line).

input() is mostly a convenience for absolute newbies, to enter a number and
use it as a number in Python. Raw_input() is better, os sys.stdin.readline()
which is almost the same thing.

-- 
Remco Gerlich



More information about the Python-list mailing list