Hi all,
in a discussion of security risks with eval() and exec()
Alan Gauld said unto the world upon 2004-12-05 18:41:
Even in a config file, if its plain text a hostile (or just mischievous) user could add a dangerous line and when you try to exec it bad things happen. Any time you allow users to influence what code runs you have potential for trouble - that is the principle behind all these "buffer overrun" security errors as well as all the script kiddie attacks - MS allows Outlook to run scripts when mail is open, if those scripts are harmful we have a virus!
I didn't know that about Outlook. Thanks for that; it makes me glad I run www.mozilla.org/products/thunderbird/ !
Danny Yoo said unto the world upon 2004-12-05 16:40:
Here is an example of a string that can cause a StackOverflow error to happen:
### s = "(lambda loop: loop(loop)) (lambda self: self(self))" eval(s) ###
The string 's' here looks funky, but in effect, it's definition is an infinite loop in heavy lambda disguise. (Well, it would have been infinite if Python had tail call optimization... *grin*)
That's a really useful example. Thanks for posting it, Danny.
Best to all,
Brian vdB
_______________________________________________ Tutor maillist - [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/tutor
