Executing python script stored as a string

Ecir Hana ecir.hana at gmail.com
Tue Sep 1 12:12:55 CEST 2009


On Sep 1, 11:32 am, Steven D'Aprano
<ste... at REMOVE.THIS.cybersource.com.au> wrote:
> > But I don't quite understand why is it security
> > risk. How is it different to run:
> > exec 'format(your_hdd)'
> > than:
> > /bin/python format.py
> > ?
>
> It's not different. But read what I said -- "if the string is coming from
> an UNTRUSTED source" -- presumably you trust yourself. If you run 'exec
> "format(your_hdd)"' it is because *you* want to format your hard disk.
>
> Now imagine you have a web-app which gets a string from the user and
> calls exec on it. Then you might have this:
>
> exec "search('%d')" % user_input
>
> and the user, who is halfway across the world, enters the following
> search string:
>
> places to eat'); import os; os.system('#rm -rf /
>
> Your web app will go right ahead and erase itself. That's why you need to
> keep untrusted strings away from exec, execfile, and eval.

Ah, I see! Ok.

> No, I believe that the only way to halt that is to halt the entire
> process.
>
> Possibly there is a way to have a thread halt itself after a certain
> amount of time? I'm not an expert on threads, I've hardly ever used them.

Thank you once again!



More information about the Python-list mailing list