[Tutor] accessing list from a string

Kent Johnson kent37 at tds.net
Wed Nov 26 13:17:08 CET 2008

On Wed, Nov 26, 2008 at 4:16 AM, Alan Gauld <alan.gauld at btinternet.com> wrote:
> "John Fouhy" <john at fouhy.net> wrote
>>>  e = "tuple(" + e + ")"
>>>  x,y  = eval(e)    # x -> 2.5, y -> 2.8
>> If I, as an evildoer, can control e, it seems that I could set it to:
>>   ,), __import__('os').system('rm -rf /'
> But that would be a specific bit of code aimed at a
> specific eval - in other words the perp would need to
> know that the eval had a function call in it. So yes
> you do classify as devious in my definition! :-)

This works just as well:
s = '__import__("os").system("rm -rf /")'

I've no actual experience with this sort of attacker but it's not hard
to imagine a bored attacker trying many combinations of input, or
having a priori knowledge of the code under attack.

Tangentially related I have to mention this lovely SQL injection attack:


More information about the Tutor mailing list