[Python-3000] PEP 3131 accepted (original) (raw)
Ian D. Bollinger ian.bollinger at gmail.com
Wed May 23 12:03:43 CEST 2007
- Previous message: [Python-3000] PEP 3131 accepted
- Next message: [Python-3000] PEP 3131 accepted
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ka-Ping Yee wrote:
2. Python will become vulnerable to a new class of security exploits via the writing of misleading or malicious code that is visually indistinguishable from correct code. Consequently it will be more difficult for humans to inspect code and assure its correctness or trustworthiness. There is very little established best practice for addressing homograph security issues. Isn't it already easy enough to do that today?
import base64; exec base64.decodestring('cHJpbnQgJ0hlbGxvLCB3b3JsZCEn\n') ... Hello, world!
Admittedly, you could look for anything like that and be suspicious, but running a program from an untrusted source is always going to be dangerous. For standalone applications, you can already do things like compile malicious C extension modules that are impossible to verify.
As for programs that use Python for scripting, shouldn't it be up to them to ensure that it runs in a restricted environment? A browser, for instance, would have to do that already.
- Ian D. Bollinger
- Previous message: [Python-3000] PEP 3131 accepted
- Next message: [Python-3000] PEP 3131 accepted
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]