2009/7/4 Angus Rodgers <ang...@bigfoot.com>: >>Date: Sat, 04 Jul 2009 13:26:12 +0100 >>From: Angus Rodgers <ang...@bigfoot.com> >>Message-ID: <vrhu451924b136aea0ivadnlqc4h7uq...@4ax.com>
> My response to this [but see the afterthought below!] is that I > definitely need to put into the documentation string something > like "*** THIS FUNCTION IS HIGHLY VULNERABLE TO A MALICIOUS USER > ***", so that I will be strongly warned NEVER to incorporate it > into any program that might be used by anyone other than myself. > > It might also be a good idea to include some kind of brief warning > in the user prompts. (This won't put off a malicious user, of course, > but it would help to keep me in mind of the potential danger.) I personally would never release code to any sort of public calling eval on user-inputted (or even user-accessible) strings or using input(), even if you had to go through fifteen different dialogue boxes first (see below). Also, at a beginner level, as soon as you can manage without these, you should, perhaps even going so far as to delete the old function, so you never run the risk of copy and pasting when not paying much attention. There are always ignorant users, who can influenced by malicious users, and might not know what I mentioned in my previous is wrong, therefore making warnings irrelevant. To give a classic example, as seen in IRC channels across the web: <NewUser> How do I do XYZ in ABC? <RandomJHacker> NewUser: Press Alt+F4 if you're on windows. <NewUser> Thanks. #NewUser has quit - connection reset by peer# Later... #NewUser has joined the channel# <NewUser> Everytime I try to do XYZ, my IRC client shuts down. <CodeChimp> NewUser: What command are you using? <NewUser> CodeChimp: Alt+F4 <lurker69> lol <CodeChimp> NewUser: That's a common problem. You can fix it in the config screen. Bring it up by holding down Ctrl and Alt, and pressing Del twice quickly. <NewUser> ok #NewUser has quit - connection reset by peer# <lurker69> lol Perhaps I enjoyed writing that a little too much... and I could easily go on. But I won't. Email me for the continuing saga of NewUser. Anyone at a level to need to use input() appropriatly is usually capable of writing their own script to do so, and would probably just be annoyed at any warnings you chose to stick in. I've never gotten to the point where I've needed input(). I'm curious to know whether anyone on the list has. -- Richard "Roadie Rich" Lovely, part of the JNP|UK Famile www.theJNP.com _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor
