Michael Sparks wrote: > On Monday 13 August 2007 21:53, Kent Johnson wrote: > >> Hmm...could be a remote connection such as ssh, which precludes the >> sledgehammer though probably not the sort of mischief you can get into >> with eval()...perhaps there are untrusted remote connections where >> eval() would still be a significant risk, I don't know... >> > > If they can ssh into a box, the likelihood of that ssh connection *only* > allowing them access to run that single python program strikes me as > vanishingly small :-) >
Unless you set it up that way specifically, i.e. making the interactive python program their login shell or specifying it to be run in their .ssh/config. > Generally speaking I agree that eval is a good opportunity for problems, but > if its in response to raw_input, I think the likelihood of it being the > biggest potential security problem is low :) > > (After all, if they're ssh'ing in, they're more likely to ssh in, *then* run > the code. They could happily delete and trash all sorts of things either > inside or outside python. They could even write their own scripts to assist > them in their devilish plans too, far exceeding the minor demon of eval ;-) > > Eval can however be an amazingly useful function, especially when combined > with exec. > > > Michael. > _______________________________________________ > Tutor maillist - Tutor@python.org > http://mail.python.org/mailman/listinfo/tutor > _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor
