[Tutor] Security [Was: Re: Decoding]
Michael Sparks
ms at cerenity.org
Mon Aug 13 23:55:41 CEST 2007
On Monday 13 August 2007 21:53, Kent Johnson wrote:
> Hmm...could be a remote connection such as ssh, which precludes the
> sledgehammer though probably not the sort of mischief you can get into
> with eval()...perhaps there are untrusted remote connections where
> eval() would still be a significant risk, I don't know...
If they can ssh into a box, the likelihood of that ssh connection *only*
allowing them access to run that single python program strikes me as
vanishingly small :-)
Generally speaking I agree that eval is a good opportunity for problems, but
if its in response to raw_input, I think the likelihood of it being the
biggest potential security problem is low :)
(After all, if they're ssh'ing in, they're more likely to ssh in, *then* run
the code. They could happily delete and trash all sorts of things either
inside or outside python. They could even write their own scripts to assist
them in their devilish plans too, far exceeding the minor demon of eval ;-)
Eval can however be an amazingly useful function, especially when combined
with exec.
Michael.
More information about the Tutor
mailing list