configparser v/s file variables
Jim Lee
jlee54 at gmail.com
Wed Jun 27 19:09:09 EDT 2018
On 06/27/18 15:19, Steven D'Aprano wrote:
> On Wed, 27 Jun 2018 12:15:23 -0700, Jim Lee wrote:
>
>> It seems a bit silly to me to worry about arbitrary code execution
>> in
>> an interpreted language like Python whose default runtime execution
>> method is to parse the source code directly. An attacker would be far
>> more likely to simply modify the source to achieve his ends rather than
>> try to inject a payload externally.
> Spoken like a single user on a single-user machine who has administrator
> privileges and can write to anything anywhere.
>
>
>
...which is exactly the case I was trying to illustrate. Another is the
elevation of privileges (in a multi-user environment) due to any of a
number of methods. The point is that the source code exists in the
execution environment, and once one gains access to that code, one
doesn't *need* anything else.
-Jim
-Jim
More information about the Python-list
mailing list