Using Python for date calculations

alister alister.nospam.ware at ntlworld.com
Fri Nov 21 15:54:59 CET 2014


On Fri, 21 Nov 2014 08:54:23 -0500, random832 wrote:

> On Fri, Nov 21, 2014, at 05:33, alister wrote:
>> the problem with input is code-injection which is very similar to sql
>> injection (httpd://xkcd.com/327).
>> 
>> the data entered by the user is processed as if it was python code,
>> this means the user could enter a command (or sequence of commands)
>> that cause serious problems to you computer including but not limited
>> to:-
> 
> Except standard input for interactive programs is rarely across a
> privilege boundary. The user can accomplish any of these far more easily
> by entering a command into their shell. (Well, more easily depending on
> which is better able to use the API for their central heating, but the
> others certainly).
> 
> There are good reasons to avoid it (user is likely to be surprised by
> weird error messages, causing a crash due to a typo), but this kind of
> paranoia is the same as has people in some circles refusing to use
> strlcpy or fgets because they can cause silent truncation.

If the program in question is purely for personal use then indeed it is 
not important, as you say I can just as easily stuff my computer without 
needing to play silly b******s with a python script.

It is if the program is ever going to be used by others (or possibly 
worse running on something like a web server exposed to the public 
internet) that needs paranoia.
my own personal opinion is that it is best to get into good habits even 
with personal use "Quick & Dirty" scripts, you never know how they could 
evolve



-- 
	"What terrible way to die."
	"There are no good ways."
		-- Sulu and Kirk, "That Which Survives", stardate unknown



More information about the Python-list mailing list