Message 6972 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	nobody
Recipients
Date	2001-11-13.00:38:09
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to

Content
Logged In: NO It's possible that the eval is safe, but validating that takes a line by line code review of all the paths that evaling a string can go through. It's also brittle in that maybe someone will change the evaluator (say to support Perl-like interpolation) in a future Python version and not remember to change the unpickler. Something like that has already happened with the Cookie module. My guess is that it happened with the pickle module--the whole point of that quoted string check is that the original pickle implementer didn't trust the input. The stuff about unpickling class instances was added later (maybe by another person) without remembering the security issue. Using eval this way is like storing a vat of cyanide in your child's bedroom. Sure, maybe if you check the seals and locks on the vat carefully enough, you can convince yourself that your child won't be able to get to the cyanide. But wouldn't you feel safer just not having the vat there at all? That's basic safety-consciousness. Security consciousness works the same way. Try to keep dangerous ingredients and attackers as far away from each other as possible. Paul

Logged In: NO 

It's possible that the eval is safe, but validating that
takes a line by line code review of all the paths that
evaling a string can go through.  It's also brittle in
that maybe someone will change the evaluator (say to
support Perl-like interpolation) in a future Python version
and not remember to change the unpickler.  Something like
that has already happened with the Cookie module.  My
guess is that it happened with the pickle module--the
whole point of that quoted string check is that the 
original pickle implementer didn't trust the input. 
The stuff about unpickling class instances was added
later (maybe by another person) without remembering the
security issue. 

Using eval this way is like storing a vat of cyanide in
your child's bedroom.  Sure, maybe if you check the seals
and locks on the vat carefully enough, you can convince
yourself that your child won't be able to get to the
cyanide.  But wouldn't you feel safer just not having the
vat there at all?  That's basic safety-consciousness.
Security consciousness works the same way.  Try to keep
dangerous ingredients and attackers as far away from each
other as possible.

Paul

History
Date	User	Action	Args
2007-08-23 13:56:49	admin	link	issue471893 messages
2007-08-23 13:56:49	admin	create