[Tutor] accessing list from a string
kent37 at tds.net
Wed Nov 26 13:17:08 CET 2008
On Wed, Nov 26, 2008 at 4:16 AM, Alan Gauld <alan.gauld at btinternet.com> wrote:
> "John Fouhy" <john at fouhy.net> wrote
>>> e = "tuple(" + e + ")"
>>> x,y = eval(e) # x -> 2.5, y -> 2.8
>> If I, as an evildoer, can control e, it seems that I could set it to:
>> ,), __import__('os').system('rm -rf /'
> But that would be a specific bit of code aimed at a
> specific eval - in other words the perp would need to
> know that the eval had a function call in it. So yes
> you do classify as devious in my definition! :-)
This works just as well:
s = '__import__("os").system("rm -rf /")'
I've no actual experience with this sort of attacker but it's not hard
to imagine a bored attacker trying many combinations of input, or
having a priori knowledge of the code under attack.
Tangentially related I have to mention this lovely SQL injection attack:
More information about the Tutor