On Fri, 21 Nov 2014 08:54:23 -0500, random832 wrote:
> On Fri, Nov 21, 2014, at 05:33, alister wrote:
>> the problem with input is code-injection which is very similar to sql
>> injection (httpd://xkcd.com/327).
>>
>> the data entered by the user is processed as if it was python code,
>> this means the user could enter a command (or sequence of commands)
>> that cause serious problems to you computer including but not limited
>> to:-
>
> Except standard input for interactive programs is rarely across a
> privilege boundary. The user can accomplish any of these far more easily
> by entering a command into their shell. (Well, more easily depending on
> which is better able to use the API for their central heating, but the
> others certainly).
>
> There are good reasons to avoid it (user is likely to be surprised by
> weird error messages, causing a crash due to a typo), but this kind of
> paranoia is the same as has people in some circles refusing to use
> strlcpy or fgets because they can cause silent truncation.
If the program in question is purely for personal use then indeed it is
not important, as you say I can just as easily stuff my computer without
needing to play silly b******s with a python script.
It is if the program is ever going to be used by others (or possibly
worse running on something like a web server exposed to the public
internet) that needs paranoia.
my own personal opinion is that it is best to get into good habits even
with personal use "Quick & Dirty" scripts, you never know how they could
evolve
--
"What terrible way to die."
"There are no good ways."
-- Sulu and Kirk, "That Which Survives", stardate unknown
--
https://mail.python.org/mailman/listinfo/python-list
