[Tutor] Security [Was: Re: Decoding]
Michael Sparks
ms at cerenity.org
Mon Aug 13 18:46:57 CEST 2007
On Monday 13 August 2007 15:28, Kent Johnson wrote:
> > The original poster posted a post with the following function:
...
> > message=raw_input("Enter the message to decode: ")
> > result=''
> > for x in string.split(message):
> > result=result+chr(eval(x))
> Anything where user input is executed as code is a security hole and
> should never be opened to untrusted users.
foo = raw_input(...)
x = eval(foo)
Is an exception, in almost[*] every scenario I can think of. (and is the
context eval was being used as far as I can see without reading the whole
thread)
[*] One scenario that seems unlikely but possible is a scenario where a
machine has been put into a form of kiosk mode where the *only* thing
they can do is type responses to the raw_input prompt. Given where
raw_input runs, this strikes me as highly unrealistic/unlikely.
Why? Because if they can type on the keyboard of a machine that's running
raw_input they have the ability to do far more damage that way than any
other. (ability to use a real sledgehammer on the machine springs to mind
:-)
Michael.
More information about the Tutor
mailing list