On Sep 1, 11:32 am, Steven D'Aprano
<ste...@remove.this.cybersource.com.au> wrote:
> > But I don't quite understand why is it security
> > risk. How is it different to run:
> > exec 'format(your_hdd)'
> > than:
> > /bin/python format.py
> > ?
>
> It's not different. But read what I said -- "if the string is coming from
> an UNTRUSTED source" -- presumably you trust yourself. If you run 'exec
> "format(your_hdd)"' it is because *you* want to format your hard disk.
>
> Now imagine you have a web-app which gets a string from the user and
> calls exec on it. Then you might have this:
>
> exec "search('%d')" % user_input
>
> and the user, who is halfway across the world, enters the following
> search string:
>
> places to eat'); import os; os.system('#rm -rf /
>
> Your web app will go right ahead and erase itself. That's why you need to
> keep untrusted strings away from exec, execfile, and eval.Ah, I see! Ok. > No, I believe that the only way to halt that is to halt the entire > process. > > Possibly there is a way to have a thread halt itself after a certain > amount of time? I'm not an expert on threads, I've hardly ever used them. Thank you once again! -- http://mail.python.org/mailman/listinfo/python-list
