Michael Sparks wrote: >> Anything where user input is executed as code is a security hole and >> should never be opened to untrusted users. > > foo = raw_input(...) > x = eval(foo) > > Is an exception, in almost[*] every scenario I can think of. (and is the > context eval was being used as far as I can see without reading the whole > thread) > > Why? Because if they can type on the keyboard of a machine that's running > raw_input they have the ability to do far more damage that way than any > other. (ability to use a real sledgehammer on the machine springs to mind > :-)
Hmm...could be a remote connection such as ssh, which precludes the sledgehammer though probably not the sort of mischief you can get into with eval()...perhaps there are untrusted remote connections where eval() would still be a significant risk, I don't know... Kent _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor
