Python 2.3b1: RuntimeError using rexec

Jeremy Fincher tweedgeezer at hotmail.com
Wed Apr 30 06:32:45 CEST 2003


martin at v.loewis.de (Martin v. Löwis) wrote in message news:<m31xzl6pac.fsf at mira.informatik.hu-berlin.de>...
> eval should work, but it won't be safe if you cannot trust the string.

I'm curious, if the string was eval'ed in an environment that included
nothing except an empty __builtins__, would there be any non-DoS
security hole?  Obviously the attack could DoS by making some value
10**10**10**10 or something, but is there any actual *security* breach
possible?

Jeremy




More information about the Python-list mailing list