On Fri, 23 Mar 2018 10:39:05 -0600, Malcolm Greene wrote: >> Perhaps it doesn't need to be said, but just to be sure: don't use eval >> if you don't trust the people writing the configuration file. They can >> do nearly unlimited damage to your environment. They are writing code >> that you are running. > > Of course! Script and config file are running in a private subnet
Okay. So only users who have access to the private subnet can inject code into your application. That covers a *lot* of ground: "The private subnet is used by me and my wife, and we both have root on the system and trust each other implicitly." "The private subnet is used by five thousand really smart and technically savvy but emotionally immature teens who are constantly trying to escalate privileges and take over the system." I always find it amusing when techies imagine that hackers on the internet are the only security threat. http://www.zdnet.com/article/the-top-five-internal-security-threats/ https://blog.trendmicro.com/most-data-security-threats-are-internal- forrester-says/ > and both are maintained by a single developer. And this is relevant to the security risk in what way? -- Steve -- https://mail.python.org/mailman/listinfo/python-list
