[Tutor] eval and exec
Brian van den Broek
bvande at po-box.mcgill.ca
Mon Dec 6 08:17:53 CET 2004
Hi all,
in a discussion of security risks with eval() and exec()
Alan Gauld said unto the world upon 2004-12-05 18:41:
> Even in a config file, if its plain text a hostile (or just
> mischievous) user could add a dangerous line and when you try
> to exec it bad things happen. Any time you allow users to
> influence what code runs you have potential for trouble
> - that is the principle behind all these "buffer overrun"
> security errors as well as all the script kiddie attacks
> - MS allows Outlook to run scripts when mail is open, if
> those scripts are harmful we have a virus!
I didn't know that about Outlook. Thanks for that; it makes me glad I
run www.mozilla.org/products/thunderbird/ !
Danny Yoo said unto the world upon 2004-12-05 16:40:
> Here is an example of a string that can cause a StackOverflow error to
> happen:
>
> ###
> s = "(lambda loop: loop(loop)) (lambda self: self(self))"
> eval(s)
> ###
>
> The string 's' here looks funky, but in effect, it's definition is an
> infinite loop in heavy lambda disguise. (Well, it would have been
> infinite if Python had tail call optimization... *grin*)
That's a really useful example. Thanks for posting it, Danny.
Best to all,
Brian vdB
More information about the Tutor
mailing list