[Tutor] Security [Was: Re: Decoding]

Michael Sparks ms at cerenity.org
Tue Aug 14 01:24:14 CEST 2007

On Monday 13 August 2007 22:39, Tiger12506 wrote:
> > foo = raw_input(...)
> > x = eval(foo)
> >
> Let your program run on your machine and I'll walk by, type in this string,
> and hit enter. We'll see how much of an exception it is when you can't boot
> your XP machine anymore.
> ;-)

Who cares? I don't run XP :-D 

Also, a broken XP machine is an opportunity anyway, not a problem.

Seriously though, if typing:

> "file('boot.ini','w').close()"

Into an "eval prompt" worked then equally leaving a python interpreter open 
would be dumb, let alone a console. 

Oddly my desktop machine often has a shell open, and often has a python 
interpreter running as well. Indeed at present it has 11 shells open. The non 
graphical console is a root shell (accessible by alt-f1). My work machines 
likewise have around a dozen shells open each.

However, when I leave my machine alone the display locks itself, and its 
normally behind a locked door (unless I'm with it).

Quite frankly anyone getting worried about this:

> > foo = raw_input(...)
> > x = eval(foo)

Is pretty over anxious IMO. "Gosh, the person at the console might be able to 
get python do something which they can do anyway". 

(This is rather distinct from taking random crap from someone not on the local 
console and just doing it (eg from a network connection/external resource))

If the user wishes to trash their own machine, using an eval prompt is a 
rather bizarre way to go about it.


More information about the Tutor mailing list