[Tutor] Security [Was: Re: Decoding]
Alan Gauld
alan.gauld at btinternet.com
Tue Aug 14 18:03:49 CEST 2007
"Michael Sparks" <ms at cerenity.org> wrote
> You are COMPLETELY missing the point. The __following__ code
>
>> >> > foo = raw_input(...)
>> >> > x = eval(foo)
>
> ONLY works if the user has console access to the machine.
Actually no. It applies to stdin which could be a console or a file.
I agree that raw_input is *usually* applicable to a console but
$ python myscript.py < mydirtydata.txt
will leave me open to all sorts of vulnerabilities. And if
the python script is embedded within a shell script then
this scenario becomes quite common and a valid security threat.
Regards,
--
Alan Gauld
Author of the Learn to Program web site
http://www.freenetpages.co.uk/hp/alan.gauld
More information about the Tutor
mailing list