In message <slrni2f8v2.j19.grahn+n...@frailea.sa.invalid>, Jorgen Grahn wrote:
> On Sat, 2010-06-26, Lawrence D'Oliveiro wrote: > >> In message <slrni297ec.1m5.grahn+n...@frailea.sa.invalid>, Jorgen Grahn >> wrote: >> >>> I thought it was well-known that the solution is *not* to try to >>> sanitize the input -- it's to switch to an interface which doesn't >>> involve generating an intermediate executable. In the Python example, >>> that would be something like os.popen2(['zcat', '-f', '--', untrusted]). >> >> That’s what I mean. Why do people consider input sanitization so hard? > > I'm not sure you understood me correctly, because I advocate > *not* doing input sanitization. Hard or not -- I don't want to know, > because I don't want to do it. But no-one has yet managed to come up with an alternative that involves less work. -- http://mail.python.org/mailman/listinfo/python-list
