[Tutor] eval and exec

Marilyn Davis marilyn at deliberate.com
Sun Dec 5 19:23:08 CET 2004

And how can __import__ be safer?  If an attacker can usurp the string
in an exec call, couldn't he usurp the string in an __import__ call?
And couldn't he import untrusted code?  It could have a call to exec()
in it?  And what about the apply() function?  Aren't all of these the
same open door?

I love the exec() call.  I love the idea of code that makes and execs
code.  I'll make myself obsolete.  :^)


On Sun, 5 Dec 2004, Marilyn Davis wrote:

> On Sat, 4 Dec 2004, Chad Crabtree wrote:
> > Marilyn Davis wrote:
> > 
> > >Thank you.  You guys are great.
> > >
> > >I was trying to eval("import %s" % something).  
> > >
> > >exec("import %s" % something) works just fine and now I understand
> > why.
> > >
> > >But, why is this so extremely dangerous?
> > >
> > >Marilyn
> > >  
> > >
> > Mainly it's only extremely dangerous if it's going to be attacked at 
> > all.  What I mean is it will run any code that it imports this way,
> > even 
> > untrusted code(possibly).  Mostly I think that it's difficult to
> > debug, 
> > however if it works you should use it.  It seems that many people do 
> > this at one point or another, and considered I guess inelegent by
> > some. 
> > If security is an issue then this is a very big no no according to
> > what 
> > I've  heard.
> And Alan said:
> > But much better to use the __import__() function for doing that if
> > possible... Or simply importing all the modules you might need at the
> > beginning, its not a big overhead...
> > 
> > Alan G.
> There's something about this that I'm not getting.
> Is it more dangerous than having the python interpreter around?
> Users will have access to our machine via the web and via email.  We
> want to be safe against attack.
> As I understand it, Apache has modpython, so it runs all the python
> code that happens, no matter how many users, with only one copy of the
> interpreter in memory.  It's sort of a big exec-machine, isn't it?
> I want to do the same trick for my Mail Transfer Agent, exim.  Exim
> has a new feature where you can configure it to talk to an AF_UNIX
> socket to get any info it needs.  An AF_UNIX socket is file-based and
> is not open for outside machines to connect to. So I made a little
> python program with a socket and threads so that exim can call the
> various python programs that I've written for sorting out mail.
> I don't want to introduce insecurity.  But also I want to really
> understand what the problem is -- especially because I teach python.
> And I can't see the security problem, unless there's a security
> problem already, like if I allowed incoming email to dictate the
> parameters that I send through the socket.  The email provides data
> for argv[1:] but argv[0] is hard-coded.
> And I don't see how web traffic can get there at all.
> If we had real users with login rights, then they could get to the
> interpreter and wouldn't need my little daemon to wreck havoc -- if I
> had my persmissions wrong.
> So what am I missing?
> Thank you for your help.
> Marilyn
> _______________________________________________
> Tutor maillist  -  Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor


More information about the Tutor mailing list