Yet Another Command Line Parser

Alex Martelli aleaxit at yahoo.com
Wed Oct 27 00:08:42 CEST 2004


Andrew Dalke <adalke at mindspring.com> wrote:
   ...
> >     exec('func(' + _options + ')')
> 
> > The only problem is that error messages are ugly.
> 
> And it's a huge security hole.  What if I did
> 
> script.py "x=6)\
> import os
> os.system('ls -l')"

Not to defend exec (ugly thing it is), but in this case I'm not sure
what the security hole would be.  If I enter that tricky commandline at
a shell prompt, it will be just as if i had executed the 'ls -l' at the
same shell prompt; weird, but where is the huge security hole?  It's not
as if there were setuid shell scripts (is there...?  I sure hope not!-).

IOW, what's the difference between that and the commandline

script.py 'x=6' && ls -l

for example?  The latter is no security hole, after all.

I understand and agree with the other criticisms you extend to the OP's
code, but this one leaves me perplexed.  exec is a huge security hole of
you're doing it on untrusted data, data supplied by somebody else than
the uid running the script; but how are commandline arguments
'untrusted'...?


Alex



More information about the Python-list mailing list