Converting hex string to an integer
Peter Hansen
peter at engcorp.com
Sat Aug 28 23:25:08 EDT 2004
Michael Hudson wrote:
> Peter Hansen <peter at engcorp.com> writes:
>
>
>>Rick Holbert wrote:
>>
>>>Derek Fountain wrote:
>>>
>>>>Given the character string "0x00A1B2C3" arriving at sys.argv[1] how do I
>>>>convert that to an integer which I can do some math on?
>>>
>>>i = eval(sys.argv[1])
>>
>>That's dangerous advice to a newbie if not qualified carefully.
>>
>>Derek, "eval" could be the source of serious security problems
>>if you don't understand its power. Specifically it should
>>almost never be used for input that comes from a user or
>>via the command line. There is pretty much always another
>>and much better way to do the simple stuff like conversions
>>than to use eval.
>>
>>For example, imagine if a malicious could feed your program this:
>>
>>(on the Linux command line)
>>
>> $ myscript "__import_('os').system('rm -rf /')"
>
> Well, in this situation, he could just type
>
> $ rm -rf /
>
> But, yes.
He could if he were on the same system, but it's quite possible
that sys.argv[1] in this particular program is actually coming
from a remote system in some manner (web?). But, yes. :-)
-Peter
More information about the Python-list
mailing list