On Sun, 5 Dec 2004, Alan Gauld wrote:
> > And I can't see the security problem, unless there's a security
> > problem already, like if I allowed incoming email to dictate the
> > parameters that I send through the socket. The email provides data
> > for argv[1:] but argv[0] is hard-coded.
> >
> > And I don't see how web traffic can get there at all.
>
> You can generate a CGI call b by typing the GET string straight into the
> address bar of the browser. If a smart user realises that some of the
> parameters are being interpreted they can (and often will) try to fake
> what the page genersates, this could involve putting python commands,
> such as 'import os;os.system("rm -f /")' into the escape string...
>
> Equally if you embed Python in a program and allow users to type strings
> whoich are then exec() or eval()'d they could type a similar os.system()
> command. Or they might use print and dir to find variable names and
> manipulate those.
Hi Marilyn,
It pays to see a concrete example of an exploit that has occurred because
of exec/eval misuse. For example, here's an old one from July 2002:
http://www.securityfocus.com/bid/5255/discussion/
Note that this one was in the Standard Library! We'd expect that the
folks who implement the Standard Library should know what they are doing.
And if the Python implementors can have trouble using eval() safely, then
how much more should we be wary!
If you or your students are interested in security stuff, you may find
David Wheeler's guide on "Secure Programming for Linux and Unix HOWTO" a
good start:
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html
It contains a small section specifically for Python:
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/python.html
I don't think that we should go completely crazy over security issues:
this issues are often so subtle that even experts get caught. But even
so, I think we still have a responsibility to make sure the most
egregrious security problems never come to fruition. So that's why most
of us here will say eval() and exec() are evil. *grin*
I hope this helps!
_______________________________________________
Tutor maillist - [EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/tutor
