On 2016-04-05, Chris Angelico <ros...@gmail.com> wrote: > On Wed, Apr 6, 2016 at 12:50 AM, Ian Kelly <ian.g.ke...@gmail.com> wrote: >> Same here, although it looks to me like this approach could work. Or >> I'm just not clever enough to see how it could be exploited. > > Having been bitten in the past (our test box was compromised by > python-list white hats within 20 minutes of the invitation being sent > out), I would go with the second of your options. Nearly anything is > vulnerable if it's permitted to execute arbitrary code; all it takes > is a sufficiently smart operator.
I am inviting sufficiently smart operators to demonstrate the flaw in my suggested code ;-) -- https://mail.python.org/mailman/listinfo/python-list
