Executing python script stored as a string
Ecir Hana
ecir.hana at gmail.com
Tue Sep 1 06:12:55 EDT 2009
On Sep 1, 11:32 am, Steven D'Aprano
<ste... at REMOVE.THIS.cybersource.com.au> wrote:
> > But I don't quite understand why is it security
> > risk. How is it different to run:
> > exec 'format(your_hdd)'
> > than:
> > /bin/python format.py
> > ?
>
> It's not different. But read what I said -- "if the string is coming from
> an UNTRUSTED source" -- presumably you trust yourself. If you run 'exec
> "format(your_hdd)"' it is because *you* want to format your hard disk.
>
> Now imagine you have a web-app which gets a string from the user and
> calls exec on it. Then you might have this:
>
> exec "search('%d')" % user_input
>
> and the user, who is halfway across the world, enters the following
> search string:
>
> places to eat'); import os; os.system('#rm -rf /
>
> Your web app will go right ahead and erase itself. That's why you need to
> keep untrusted strings away from exec, execfile, and eval.
Ah, I see! Ok.
> No, I believe that the only way to halt that is to halt the entire
> process.
>
> Possibly there is a way to have a thread halt itself after a certain
> amount of time? I'm not an expert on threads, I've hardly ever used them.
Thank you once again!
More information about the Python-list
mailing list