[Tutor] Security [Was: Re: Decoding]

Michael Sparks ms at cerenity.org
Mon Aug 13 23:55:41 CEST 2007

On Monday 13 August 2007 21:53, Kent Johnson wrote:
> Hmm...could be a remote connection such as ssh, which precludes the
> sledgehammer though probably not the sort of mischief you can get into
> with eval()...perhaps there are untrusted remote connections where
> eval() would still be a significant risk, I don't know...

If they can ssh into a box, the likelihood of that ssh connection *only* 
allowing them access to run that single python program strikes me as 
vanishingly small :-)

Generally speaking I agree that eval is a good opportunity for problems, but 
if its in response to raw_input, I think the likelihood of it being the 
biggest potential security problem is low :)

(After all, if they're ssh'ing in, they're more likely to ssh in, *then* run 
the code. They could happily delete and trash all sorts of things either 
inside or outside python. They could even write their own scripts to assist 
them in their devilish plans too, far exceeding the minor demon of eval ;-)

Eval can however be an amazingly useful function, especially when combined 
with exec.


More information about the Tutor mailing list