Yet Another Command Line Parser

Alex Martelli aleaxit at
Wed Oct 27 00:08:42 CEST 2004

Andrew Dalke <adalke at> wrote:
> >     exec('func(' + _options + ')')
> > The only problem is that error messages are ugly.
> And it's a huge security hole.  What if I did
> "x=6)\
> import os
> os.system('ls -l')"

Not to defend exec (ugly thing it is), but in this case I'm not sure
what the security hole would be.  If I enter that tricky commandline at
a shell prompt, it will be just as if i had executed the 'ls -l' at the
same shell prompt; weird, but where is the huge security hole?  It's not
as if there were setuid shell scripts (is there...?  I sure hope not!-).

IOW, what's the difference between that and the commandline 'x=6' && ls -l

for example?  The latter is no security hole, after all.

I understand and agree with the other criticisms you extend to the OP's
code, but this one leaves me perplexed.  exec is a huge security hole of
you're doing it on untrusted data, data supplied by somebody else than
the uid running the script; but how are commandline arguments


More information about the Python-list mailing list