On Monday 13 August 2007 21:53, Kent Johnson wrote: > Hmm...could be a remote connection such as ssh, which precludes the > sledgehammer though probably not the sort of mischief you can get into > with eval()...perhaps there are untrusted remote connections where > eval() would still be a significant risk, I don't know...
If they can ssh into a box, the likelihood of that ssh connection *only* allowing them access to run that single python program strikes me as vanishingly small :-) Generally speaking I agree that eval is a good opportunity for problems, but if its in response to raw_input, I think the likelihood of it being the biggest potential security problem is low :) (After all, if they're ssh'ing in, they're more likely to ssh in, *then* run the code. They could happily delete and trash all sorts of things either inside or outside python. They could even write their own scripts to assist them in their devilish plans too, far exceeding the minor demon of eval ;-) Eval can however be an amazingly useful function, especially when combined with exec. Michael. _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor