> > - MS allows Outlook to run scripts when mail is open, if
> > those scripts are harmful we have a virus!
That is (was, they've improved it a lot) the number one cause
of script kiddie virii. Simply viewing a mail message in the
preview pane was enough to trigger a script. They have
improved s
Hi all,
in a discussion of security risks with eval() and exec()
Alan Gauld said unto the world upon 2004-12-05 18:41:
Even in a config file, if its plain text a hostile (or just
mischievous) user could add a dangerous line and when you try
to exec it bad things happen. Any time you allow users to
On Sun, 5 Dec 2004, Danny Yoo wrote:
>
> It pays to see a concrete example of an exploit that has occurred because
> of exec/eval misuse. For example, here's an old one from July 2002:
>
> http://www.securityfocus.com/bid/5255/discussion/
>
> Note that this one was in the Standard Library!
On Sun, 5 Dec 2004, Alan Gauld wrote:
> > And I can't see the security problem, unless there's a security
> > problem already, like if I allowed incoming email to dictate the
> > parameters that I send through the socket. The email provides data
> > for argv[1:] but argv[0] is hard-coded.
> >
>
> And how can __import__ be safer?
Safer because it is limited in what it can do, import a file.
The file must exist in the python path, so its much harder for
the user to do something bad - they have to create a new file
with malicious code in it and insert it into the python path
and then get th
> And I can't see the security problem, unless there's a security
> problem already, like if I allowed incoming email to dictate the
> parameters that I send through the socket. The email provides data
> for argv[1:] but argv[0] is hard-coded.
>
> And I don't see how web traffic can get there at a
> I don't want to introduce insecurity. But also I want to really
> understand what the problem is -- especially because I teach python.
Hi Marilyn,
Here is an example of a string that can cause a StackOverflow error to
happen:
###
s = "(lambda loop: loop(loop)) (lambda self: self(self))"
eva
And how can __import__ be safer? If an attacker can usurp the string
in an exec call, couldn't he usurp the string in an __import__ call?
And couldn't he import untrusted code? It could have a call to exec()
in it? And what about the apply() function? Aren't all of these the
same open door?
I
On Sat, 4 Dec 2004, Chad Crabtree wrote:
> Marilyn Davis wrote:
>
> >Thank you. You guys are great.
> >
> >I was trying to eval("import %s" % something).
> >
> >exec("import %s" % something) works just fine and now I understand
> why.
> >
> >But, why is this so extremely dangerous?
> >
> >Mari
> I was trying to eval("import %s" % something).
>
> exec("import %s" % something) works just fine and now I understand
why.
But much better to use the __import__() function for doing that
if possible... Or simply importing all the modules you might need
at the beginning, its not a big overhead...
> dictionary of database instances, dbtables, keyed on table name,
> and I want a general way of creating variables with the name of
> the table so I'm not accessing the dictionary. Would something
> like this work:
>
> # dbtables is already built
> for table in dbtables.keys():
> exec("%s = dbta
Marilyn Davis wrote:
Thank you. You guys are great.
I was trying to eval("import %s" % something).
exec("import %s" % something) works just fine and now I understand why.
But, why is this so extremely dangerous?
The danger is in exec'ing code whose source is not trusted.
Using exec to import a
Thank you. You guys are great.
I was trying to eval("import %s" % something).
exec("import %s" % something) works just fine and now I understand why.
But, why is this so extremely dangerous?
Marilyn
___
Tutor maillist - [EMAIL PROTECTED]
http
On Sat, Dec 04, 2004, Gonçalo Rodrigues wrote:
>Bill Campbell wrote:
...
>>>Both are extremely dangerous functions from a security
>>>and maintenance/reliability pouint of view and should be
>>>used very rarely.
>>
>>
>>True enough, but useful upon occassion. In particular I've had a
>>question on
Bill Campbell wrote:
On Sat, Dec 04, 2004, Alan Gauld wrote:
I'm having trouble understanding the difference between eval and
exec.
eval evaluates an *expression* - that is something that returns a
value.
...
Both are extremely dangerous functions from a security
and maintenance/reliability pouint
On Sat, Dec 04, 2004, Alan Gauld wrote:
>> I'm having trouble understanding the difference between eval and
>exec.
>
>eval evaluates an *expression* - that is something that returns a
>value.
>
...
>Both are extremely dangerous functions from a security
>and maintenance/reliability pouint of view a
Brian van den Broek said unto the world upon 2004-12-04 04:28:
Marilyn Davis said unto the world upon 2004-12-04 01:37:
Hello Tutors,
I'm having trouble understanding the difference between eval and exec.
Can anyone explain it to me please?
Marilyn Davis
Hi Marilyn,
does this help?
Darn. I left a
> I'm having trouble understanding the difference between eval and
exec.
eval evaluates an *expression* - that is something that returns a
value.
exec executes a piece of code, it need not return a value.
eval is slightly safer than exec (but not much).
Some examples:
print 'hello' # use exe
Marilyn Davis said unto the world upon 2004-12-04 01:37:
Hello Tutors,
I'm having trouble understanding the difference between eval and exec.
Can anyone explain it to me please?
Marilyn Davis
Hi Marilyn,
does this help?
print a
Traceback (most recent call last):
File "", line 1, in -toplevel-
Hello Tutors,
I'm having trouble understanding the difference between eval and exec.
Can anyone explain it to me please?
Marilyn Davis
--
___
Tutor maillist - [EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/tutor
20 matches
Mail list logo
