Security implications of using open() on untrusted strings.

News123 news123 at free.fr
Tue Nov 25 23:37:25 CET 2008


Jorgen Grahn wrote:
>   Compare with a language (does Perl allow this?) where if the string
>   is "rm -rf /|", open will run "rm -rf /" and start reading its output.
>   *That* interface would have been 

Good example. (for perl):

The problem doesn't exist in python
open("rm -rf / |") would try to open a file with exactly that name and
it would fail if it doesn't exist.

In perl the perl script author has the choice to be safe (three argument
open) or to allow stupid or nice things with a two argument open.

In perl:
open($fh,"rm -rf / |") would execute the command "rm -rf /" and pass
it's output to perl

In perl:
open($fh,"rm -rf / |","<") would work as in python


The only similiar pitfall for pyhon would be popen() in a context like
filename=userinput()
p = os.popen("md5sum "+f)
here you would have unexpected behavior if filename were something like
"bla ; rm -rf /"


Sometimes I miss the 'dangerous variation' in python and I explicitely
add code in python that the filename '-' will be treated as stdin for
files to be read and as stdout for files to be written to

bye N



More information about the Python-list mailing list