> foo = raw_input(...)
> x = eval(foo)
>
> Is an exception, in almost[*] every scenario I can think of. (and is the
> context eval was being used as far as I can see without reading the whole
> thread)
>
> [*] One scenario that seems unlikely but possible is a scenario where a
> machine has been put into a form of kiosk mode where the *only*
> thing
> they can do is type responses to the raw_input prompt. Given where
> raw_input runs, this strikes me as highly unrealistic/unlikely.
>
> Why? Because if they can type on the keyboard of a machine that's running
> raw_input they have the ability to do far more damage that way than any
> other. (ability to use a real sledgehammer on the machine springs to mind
> :-)
Let your program run on your machine and I'll walk by, type in this string,
and hit enter. We'll see how much of an exception it is when you can't boot
your XP machine anymore.
;-)
"file('boot.ini','w').close()"
Of course, x would be set to None (the return value of the file method
close()), but the damage is already done.
btw - that *one scenario* happens a lot more often than you think. For
example, you write a library. It doesn't have to be raw_input. You could get
that string from anywhere. A text box, a username. A registry value!! If
your program uses eval on a registry string, someone could set that key
before hand to something similar to above.
JS
_______________________________________________
Tutor maillist - Tutor@python.org
http://mail.python.org/mailman/listinfo/tutor
