[Tutor] Security [Was: Re: Decoding]

Tue Aug 14 03:28:09 CEST 2007

> On Monday 13 August 2007 22:39, Tiger12506 wrote:
>> > foo = raw_input(...)
>> > x = eval(foo)
>> >
> ...
>> Let your program run on your machine and I'll walk by, type in this 
>> string,
>> and hit enter. We'll see how much of an exception it is when you can't 
>> boot
>> your XP machine anymore.
>> ;-)
>
> Who cares? I don't run XP :-D

I'm sure the equivalent can be done on different operating systems.

> Also, a broken XP machine is an opportunity anyway, not a problem.

Agreed.

> Seriously though, if typing:
>
>> "file('boot.ini','w').close()"
>
> Into an "eval prompt" worked then equally leaving a python interpreter 
> open
> would be dumb, let alone a console.

It does work. Try it with a simple file "temp.txt" for example. You can run 
any function call if the string is parsed with eval. Notice I did not say 
"type into an eval prompt type loop" I mean entirely if the string is parsed 
with eval.

> Oddly my desktop machine often has a shell open, and often has a python
> interpreter running as well. Indeed at present it has 11 shells open. The 
> non
> graphical console is a root shell (accessible by alt-f1). My work machines
> likewise have around a dozen shells open each.
>
> However, when I leave my machine alone the display locks itself, and its
> normally behind a locked door (unless I'm with it).
>
> Quite frankly anyone getting worried about this:
>
>> > foo = raw_input(...)
>> > x = eval(foo)
>
> Is pretty over anxious IMO. "Gosh, the person at the console might be able 
> to
> get python do something which they can do anyway".

Again. Anytime the function is parsed with eval, you can run *any* python 
function that is in the scope that the eval function is being executed from. 
Security risks are never simple. Of course they can do it with a python 
console window open. But if you are worried about security you don't allow 
them access to the python console. You ecapsulate it. But what if you use 
eval in a library function you write, which is used to parse some input? 
Peer to peer networks, http servers, even text files that you try to parse 
could be corrupted to cause your computer damage.

The point is that eval is a security risk "greater than other 
implementations" that is-using int() is much more secure than eval().

> (This is rather distinct from taking random crap from someone not on the 
> local
> console and just doing it (eg from a network connection/external 
> resource))
>
> If the user wishes to trash their own machine, using an eval prompt is a
> rather bizarre way to go about it.

Sometimes it's not what they want to do. Kiosks centers are a good example. 
But if you parse a text file that you haven't reviewed... that's possible. 
Not likely. But possible. It's along the same lines as buffer overruns. It's 
possible. Not as likely. But possible.

JS 