Another scripting language implemented into Python itself?

Grant Edwards grante at
Tue Jan 25 14:52:47 EST 2005

On 2005-01-25, Rocco Moretti <roccomoretti at> wrote:

> "import module" executes Python code. As such it can do
> anything Python can do. Crash your system, wipe the hard
> drive, etc.

Only if you run as root all the time -- and the same can be
said of any library routine you call.

> And there is nothing the importing code can do to stop it.

Nor is there anything you can to do stop libc from doing stuff.

> Now, if you limit yourself to known and trusted modules, that
> risk virtually disappears, just like staying on the sidewalk
> virtually eliminates the chances of getting hit by a bus. Not
> completely, mind you, since someone could have altered the 
> standard library modules/changed the import path such that
> you're importing an unknown module. But most people would
> argue if someone has that power, they probably can do anything
> they want with your system without you doing "import module."
> Bottom line: Don't exec or eval untrusted code. Don't import untrusted 
> modules.

I still don't see how that's any different for Python than for
any other language.

Grant Edwards                   grante             Yow!  I'm EXCITED!! I want
                                  at               a FLANK STEAK WEEK-END!! I
                                 think I'm JULIA CHILD!!

More information about the Python-list mailing list