[Tutor] eval and exec

Brian van den Broek bvande at po-box.mcgill.ca
Mon Dec 6 08:17:53 CET 2004

Hi all,

in a discussion of security risks with eval() and exec()

Alan Gauld said unto the world upon 2004-12-05 18:41:

> Even in a config file, if its plain text a hostile (or just
> mischievous) user could add a dangerous line and when you try
> to exec it bad things happen. Any time you allow users to
> influence what code runs you have potential for trouble
> - that is the principle behind all these "buffer overrun"
> security errors as well as all the script kiddie attacks
> - MS allows Outlook to run scripts when mail is open, if
> those scripts are harmful we have a virus!

I didn't know that about Outlook. Thanks for that; it makes me glad I 
run www.mozilla.org/products/thunderbird/ !

Danny Yoo said unto the world upon 2004-12-05 16:40:

> Here is an example of a string that can cause a StackOverflow error to
> happen:
> ###
> s = "(lambda loop: loop(loop)) (lambda self: self(self))"
> eval(s)
> ###
> The string 's' here looks funky, but in effect, it's definition is an
> infinite loop in heavy lambda disguise.  (Well, it would have been
> infinite if Python had tail call optimization... *grin*)

That's a really useful example. Thanks for posting it, Danny.

Best to all,

Brian vdB

More information about the Tutor mailing list