Fredrik Lundh <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: > > > Assuming the script isn't setuid, this would do no more damage than the > > user could do directly on the command line. > > except that when the user is typing things into the command line, he > *knows* that he's typing things into the command line.
Aye! Who is to say that this script won't get re-used innocently in a web application? And in this particular example we were talking about typing regular expressions into the shell, which have many of the same metacharacters as the shell. So even an innocent use of the above can cause problems. Just say no to passing user input (from anywhere at all) via the shell! That (along with SQL injection attacks which are very similar in concept) is one of the most common security attacks for scripting languages like Python when used in a web environment. -- Nick Craig-Wood <[EMAIL PROTECTED]> -- http://www.craig-wood.com/nick -- http://mail.python.org/mailman/listinfo/python-list
