[Tutor] Security [Was: Re: Decoding]

Kent Johnson kent37 at tds.net
Mon Aug 13 22:53:16 CEST 2007

Michael Sparks wrote:
>> Anything where user input is executed as code is a security hole and
>> should never be opened to untrusted users.
> foo = raw_input(...)
> x = eval(foo)
> Is an exception, in almost[*] every scenario I can think of. (and is the 
> context eval was being used as far as I can see without reading the whole 
> thread)
> Why? Because if they can type on the keyboard of a machine that's running 
> raw_input they have the ability to do far more damage that way than any 
> other. (ability to use a real sledgehammer on the machine springs to mind
> :-)

Hmm...could be a remote connection such as ssh, which precludes the 
sledgehammer though probably not the sort of mischief you can get into 
with eval()...perhaps there are untrusted remote connections where 
eval() would still be a significant risk, I don't know...


More information about the Tutor mailing list