[Tutor] Security [Was: Re: Decoding]
brunson at brunson.com
Tue Aug 14 18:02:42 CEST 2007
Michael Sparks wrote:
> On Monday 13 August 2007 21:53, Kent Johnson wrote:
>> Hmm...could be a remote connection such as ssh, which precludes the
>> sledgehammer though probably not the sort of mischief you can get into
>> with eval()...perhaps there are untrusted remote connections where
>> eval() would still be a significant risk, I don't know...
> If they can ssh into a box, the likelihood of that ssh connection *only*
> allowing them access to run that single python program strikes me as
> vanishingly small :-)
Unless you set it up that way specifically, i.e. making the interactive
python program their login shell or specifying it to be run in their
Michael, sorry for the double post to you, I missed the "reply all"
button the first time.
> Generally speaking I agree that eval is a good opportunity for problems, but
> if its in response to raw_input, I think the likelihood of it being the
> biggest potential security problem is low :)
> (After all, if they're ssh'ing in, they're more likely to ssh in, *then* run
> the code. They could happily delete and trash all sorts of things either
> inside or outside python. They could even write their own scripts to assist
> them in their devilish plans too, far exceeding the minor demon of eval ;-)
> Eval can however be an amazingly useful function, especially when combined
> with exec.
> Tutor maillist - Tutor at python.org
More information about the Tutor