On Tue, 25 Nov 2008 23:37:25 +0100, News123 <[EMAIL PROTECTED]> wrote:
> Jorgen Grahn wrote:
>> Compare with a language (does Perl allow this?) where if the string
>> is "rm -rf /|", open will run "rm -rf /" and start reading its output.
>> *That* interface would have been
> Good example. (
Jorgen Grahn wrote:
> Compare with a language (does Perl allow this?) where if the string
> is "rm -rf /|", open will run "rm -rf /" and start reading its output.
> *That* interface would have been
Good example. (for perl):
The problem doesn't exist in python
open("rm -rf / |") would try t
On Tue, 25 Nov 2008 02:26:32 -0500, r0g <[EMAIL PROTECTED]> wrote:
> Jorgen Grahn wrote:
...
>> Or am I missing something?
> No Jorgen, that's exactly what I needed to know i.e. that sending
> unfiltered text to open() is not negligent or likely to allow any
> badness to occur.
>
> As far as what
On Tue, 25 Nov 2008 20:40:57 +1300, Lawrence D'Oliveiro <[EMAIL PROTECTED]>
wrote:
> Jorgen Grahn wrote:
>
>> Seems to me you simply want to know beforehand that the reading will
>> work. But you can never check that! You can stat(2) the file, or
>> open-and-close it -- and then a microsecond la
Jorgen Grahn wrote:
> Seems to me you simply want to know beforehand that the reading will
> work. But you can never check that! You can stat(2) the file, or
> open-and-close it -- and then a microsecond later, someone deletes the
> file, or replaces it with another one, or write-protects it, or
Jorgen Grahn wrote:
> On Mon, 24 Nov 2008 00:44:45 -0500, r0g <[EMAIL PROTECTED]> wrote:
>> Hi there,
>>
>> I'm trying to validate some user input which is for the most part simple
>> regexery however I would like to check filenames and I would like this
>> code to be multiplatform.
>>
>> I had hop
On Mon, 24 Nov 2008 00:44:45 -0500, r0g <[EMAIL PROTECTED]> wrote:
> Hi there,
>
> I'm trying to validate some user input which is for the most part simple
> regexery however I would like to check filenames and I would like this
> code to be multiplatform.
>
> I had hoped the os module would have a
r0g wrote:
Yep, I spotted that too which is why white-listing is my fallback plan.
My question is really about the security of using unfiltered data in a
filesystem function though. Are there particualar exploits that could
make use of such unfiltered calls?
The classic one would be submitting
r0g <[EMAIL PROTECTED]> wrote:
> Although it's a desktop (not internet facing) app I'm a little squeamish
> piping raw user input into a filesystem function like that and this app
> will be dealing with some particularly sensitive data so I want to be
> careful and minimize exposure where practica
Steven D'Aprano wrote:
> On Mon, 24 Nov 2008 00:44:45 -0500, r0g wrote:
>
>> Hi there,
>>
>> I'm trying to validate some user input which is for the most part simple
>> regexery however I would like to check filenames and I would like this
>> code to be multiplatform.
>>
>> I had hoped the os modu
On Mon, 24 Nov 2008 00:44:45 -0500, r0g wrote:
> Hi there,
>
> I'm trying to validate some user input which is for the most part simple
> regexery however I would like to check filenames and I would like this
> code to be multiplatform.
>
> I had hoped the os module would have a function that wo
Hi there,
I'm trying to validate some user input which is for the most part simple
regexery however I would like to check filenames and I would like this
code to be multiplatform.
I had hoped the os module would have a function that would tell me if a
proposed filename would be valid on the host
12 matches
Mail list logo
