Issue 11641: raw_input() -> input() security issue

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/55850

classification

Title:	raw_input() -> input() security issue
Type:		Stage:	resolved
Components:		Versions:

process

Status:	closed	Resolution:	not a bug
Dependencies:		Superseder:
Assigned To:		Nosy List:	Trundle, brian.curtin, eric.araujo, techtonik
Priority:	normal	Keywords:

Created on 2011-03-22 23:09 by techtonik, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
python3-security.py	techtonik, 2011-03-22 23:11

Messages (5)
msg131805 - (view)	Author: anatoly techtonik (techtonik)	Date: 2011-03-22 23:09
2to3 converts raw_input() calls into input(), and input() runs all user data through eval(). This opens a hole in previously secure Python2.x applications. Is the author of this change aware of the issue?
msg131806 - (view)	Author: Andreas Stührk (Trundle) *	Date: 2011-03-22 23:12
`input()` in Python 3 is the same as `raw_input()` in Python 2. It does not evaluate the input as Python code.
msg131807 - (view)	Author: Brian Curtin (brian.curtin) *	Date: 2011-03-22 23:22
This is incorrect. Please look at Python/bltinmodule.c for how input() is implemented - there is no eval involved.
msg131809 - (view)	Author: anatoly techtonik (techtonik)	Date: 2011-03-22 23:28
Sorry. I've incidentally run converted file with Python 2.x. To avoid future confusions, should there be a reference in 2to3 docs to the behavior change for input() function? From http://docs.python.org/library/2to3#2to3fixer-raw_input to http://docs.python.org/py3k/whatsnew/3.0.html#builtins
msg131814 - (view)	Author: Éric Araujo (eric.araujo) *	Date: 2011-03-22 23:38
I find http://docs.python.org/dev/library/functions#input clear enough. Remember that 3.x is a clean cut, it does not carry information for 2.x users; those have enough information with http://docs.python.org/py3k/whatsnew/3.0#builtins IMO.

History
Date	User	Action	Args
2022-04-11 14:57:15	admin	set	github: 55850
2011-03-22 23:38:52	eric.araujo	set	versions: - Python 3.2 nosy: + eric.araujo messages: + msg131814 components: - 2to3 (2.x to 3.x conversion tool) stage: resolved
2011-03-22 23:29:06	brian.curtin	set	nosy: techtonik, Trundle, brian.curtin type: security ->
2011-03-22 23:28:00	techtonik	set	type: security messages: + msg131809 nosy: techtonik, Trundle, brian.curtin
2011-03-22 23:23:29	eric.smith	set	status: open -> closed type: security -> (no value) resolution: not a bug nosy: techtonik, Trundle, brian.curtin
2011-03-22 23:22:54	brian.curtin	set	nosy: + brian.curtin messages: + msg131807
2011-03-22 23:12:52	Trundle	set	nosy: + Trundle messages: + msg131806
2011-03-22 23:11:56	techtonik	set	files: + python3-security.py
2011-03-22 23:09:35	techtonik	create