[Tutor] eval and exec

Marilyn Davis marilyn at deliberate.com
Mon Dec 6 06:13:40 CET 2004


On Sun, 5 Dec 2004, Danny Yoo wrote:
> 
> It pays to see a concrete example of an exploit that has occurred because
> of exec/eval misuse.  For example, here's an old one from July 2002:
> 
>     http://www.securityfocus.com/bid/5255/discussion/
> 
> Note that this one was in the Standard Library!  We'd expect that the
> folks who implement the Standard Library should know what they are doing.
> And if the Python implementors can have trouble using eval() safely, then
> how much more should we be wary!
> 

Thank you.  Goodness, pickle would execute this if it unpickled it, as
I understand it:

"S''*__import__('os').system('echo 0wn3d')\np0\n."

Hmmmmm.  Silly pickle.

> 
> If you or your students are interested in security stuff, you may find
> David Wheeler's guide on "Secure Programming for Linux and Unix HOWTO" a
> good start:
> 
>   http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html
> 

Very interesting, thank you.

And thank you everyone for your illuminations.

In our case, where the socket isn't available from outside, and the
call strings are hardcoded, in order to breech an eval() call in my
code, they'd already have the machine in their lap and could do
anything else.  Our only ports that are open to the world are for
exim, and apache.  Otherwise we let ssh and rysnc through if they are
coming from the right IP.  So we're pretty tight.

However, I think it's good engineering policy to keep things as
tightly controlled as possible.  So I think I'll take the good advice
given here and use apply() and do all my importing up front.


> 
> It contains a small section specifically for Python:
> 
>   http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/python.html
> 

BTW, the author of the Python section doesn't seem to like the
flexibility of Python's function calls.

All these lovely powerful things are security vulnerabilities.

Sigh.

Marilyn


> 
> I don't think that we should go completely crazy over security issues:
> this issues are often so subtle that even experts get caught.  But even
> so, I think we still have a responsibility to make sure the most
> egregrious security problems never come to fruition.  So that's why most
> of us here will say eval() and exec() are evil.  *grin*
> 
> 
> I hope this helps!
> 
> 

-- 




More information about the Tutor mailing list