STINNER Victor added the comment:
> we assume it was generated by Python and not an external, malicious source.
Said differently: you must not trust .py or .pyc downloaded from untrusted
sources. Executing arbitary .py or .pyc file allows to execute arbitrary Python
code.
Instead of writing complex code to inject machine code in the Python evaluation
loop (Python/ceval.c), just execute "import os; os.system('echo pwn!')" which
runs an arbitrary shell command. Compile it to .pyc if you want to "exploit"
the PYC path.
----------
nosy: +haypo
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue23281>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
