Need some quick help here...
Moshe Zadka
m at moshez.org
Mon Jun 16 05:57:28 EDT 2003
More information about the Python-list mailing list
Mon Jun 16 05:57:28 EDT 2003
- Previous message (by thread): ActiveX currency type (MAPI)
- Next message (by thread): Need some quick help here...
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, 15 Jun 2003, Zac Jensen <listbox at cybereal.org> wrote: > I have a bit of an issue in something I'm designing. > It's a security issue. > Here's what happens at the point of concern. > Arbitrary code is accepted to be run through an eval statement that looks > like > eval(a_repr, {'__builtins__':None}) At that point, you no longer have any security. Really :) > I'm looking for any example that could still cause problems, and optionaly a > suggested solution within the bounds of the problem. Use your OS security. Or, alternatively, a better serialization mechanism. PS a_repr="[[0]*100000 for x in [0]*100000]" took enough time that I gave up. Are you willing to have your application hang for upwards than a minute? While consuming lots of CPU and memory? I'm not saying that this is the worse example, I just came up with it in playing around for a minute... -- Moshe Zadka -- http://moshez.org/ Buffy: I don't like you hanging out with someone that... short. Riley: Yeah, a lot of young people nowadays are experimenting with shortness. Agile Programming Language -- http://www.python.org/
- Previous message (by thread): ActiveX currency type (MAPI)
- Next message (by thread): Need some quick help here...
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list