On 06/27/18 15:19, Steven D'Aprano wrote:
On Wed, 27 Jun 2018 12:15:23 -0700, Jim Lee wrote:
It seems a bit silly to me to worry about arbitrary code execution
in
an interpreted language like Python whose default runtime execution
method is to parse the source code directly. An attacker would be far
more likely to simply modify the source to achieve his ends rather than
try to inject a payload externally.
Spoken like a single user on a single-user machine who has administrator
privileges and can write to anything anywhere.
...which is exactly the case I was trying to illustrate. Another is the
elevation of privileges (in a multi-user environment) due to any of a
number of methods. The point is that the source code exists in the
execution environment, and once one gains access to that code, one
doesn't *need* anything else.
-Jim
-Jim
--
https://mail.python.org/mailman/listinfo/python-list
