[Tutor] Re: Suggestions for cleaner code
Jeff Shannon
jeff@ccvcorp.com
Wed Jul 9 13:11:03 2003
Magnus Lycke wrote:
> At 18:02 2003-07-08 -0700, Jeff Shannon wrote:
>
>> Even worse, someone could easily type something like 'import os;
>> os.system("rm -s /")' -- this *will* import the os module and spawn a
>> shell that will attempt to delete every file on your system.
>
>
> No it won't. You can only evaluate expressions, not arbitrary
> statements. But the second part 'os.system("rm -s /")' is
> certainly possible, so if the program has already imported
> the os module, you are definitely in danger.
Ah, right, my mistake -- input() uses eval() internally, and eval() can
only handle expressions, not statements. So the malicious possibilities
aren't *quite* as open as I had suggested, though they are still
definitely there, as are the possibilities for unintentional problems.
Jeff Shannon
Technician/Programmer
Credit International