[Python-Dev] Python and Security (original) (raw)

Aahz Maruch aahz@rahul.net
Sun, 20 Jan 2002 17:38:59 -0800 (PST)

• Previous message: [Python-Dev] Python and Security
• Next message: [Python-Dev] Python and Security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Barry A. Warsaw wrote:

>>>>> "MvL" == Martin v Loewis <martin@v.loewis.de> writes:

| - invoking exec or eval on a string of unknown origin | - unpickling an arbitrary string | - performing getattr with a parameter of unknown origin. Don't forget os.system(), popen(), and friends, i.e. passing unsanitized strings to the shell. In my my long rusty Perl experience, this was the most common reason to use taint strings.

More precisely, because Perl culture developed as a superset of shell scripts, it used to be all-too-common for Perl scripts to get their data by parsing the output of a Unix utility (instead of calling a library function directly). This necessarily spawned a subshell where malicious input could be a security problem. (When I was learning Perl, the available books often taught this programming style.)

I've heard that Perl culture has changed, but the taint capability is still there because too many Perlers stick to their trusty poor habits.

Pythonistas, of course, never learned bad habits. ;-)

                  --- Aahz (@pobox.com)

Hugs and backrubs -- I break Rule 6 <*> http://www.rahul.net/aahz/ Androgynous poly kinky vanilla queer het Pythonista

We must not let the evil of a few trample the freedoms of the many.

• Previous message: [Python-Dev] Python and Security
• Next message: [Python-Dev] Python and Security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]