[Tutor] Re: Suggestions for cleaner code [be careful about input()]

Danny Yoo dyoo@hkn.eecs.berkeley.edu
Wed Jul 9 14:40:07 2003


On Wed, 9 Jul 2003, Magnus [iso-8859-1] Lyck=E5 wrote:

> At 18:02 2003-07-08 -0700, Jeff Shannon wrote:
>
> >Even worse, someone could easily type something like 'import os;
> >os.system("rm -s /")' -- this *will* import the os module and spawn a
> >shell that will attempt to delete every file on your system.
>
> No it won't. You can only evaluate expressions, not arbitrary
> statements. But the second part 'os.system("rm -s /")' is certainly
> possible, so if the program has already imported the os module, you are
> definitely in danger.


Jeff had the right idea.  If we use the __import__() builtin, the approach
works.  That is:


    __import__('os').system('ls')


is an example of something that input() will blissfully execute.  This is
what makes input() potentially dangerous.


Hope this helps!