New submission from anatoly techtonik techto...@gmail.com:
2to3 converts raw_input() calls into input(), and input() runs all user data
through eval(). This opens a hole in previously secure Python2.x applications.
Is the author of this change aware of the issue?
--
components: 2to3
Changes by anatoly techtonik techto...@gmail.com:
Added file: http://bugs.python.org/file21348/python3-security.py
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11641
___
Andreas Stührk andy-pyt...@hammerhartes.de added the comment:
`input()` in Python 3 is the same as `raw_input()` in Python 2. It does not
evaluate the input as Python code.
--
nosy: +Trundle
___
Python tracker rep...@bugs.python.org
Brian Curtin br...@python.org added the comment:
This is incorrect. Please look at Python/bltinmodule.c for how input() is
implemented - there is no eval involved.
--
nosy: +brian.curtin
___
Python tracker rep...@bugs.python.org
Changes by Eric Smith e...@trueblade.com:
--
resolution: - invalid
status: open - closed
type: security -
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11641
___
anatoly techtonik techto...@gmail.com added the comment:
Sorry. I've incidentally run converted file with Python 2.x.
To avoid future confusions, should there be a reference in 2to3 docs to the
behavior change for input() function?
From http://docs.python.org/library/2to3#2to3fixer-raw_input
Changes by Brian Curtin br...@python.org:
--
type: security -
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11641
___
___
Python-bugs-list
Éric Araujo mer...@netwok.org added the comment:
I find http://docs.python.org/dev/library/functions#input clear enough.
Remember that 3.x is a clean cut, it does not carry information for 2.x users;
those have enough information with
http://docs.python.org/py3k/whatsnew/3.0#builtins IMO.