"Michael Sparks" <[EMAIL PROTECTED]> wrote > You are COMPLETELY missing the point. The __following__ code > >> >> > foo = raw_input(...) >> >> > x = eval(foo) > > ONLY works if the user has console access to the machine.
Actually no. It applies to stdin which could be a console or a file. I agree that raw_input is *usually* applicable to a console but $ python myscript.py < mydirtydata.txt will leave me open to all sorts of vulnerabilities. And if the python script is embedded within a shell script then this scenario becomes quite common and a valid security threat. Regards, -- Alan Gauld Author of the Learn to Program web site http://www.freenetpages.co.uk/hp/alan.gauld _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor