Path: csiph.com!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!npeer01.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!nx02.iad01.newshosting.com!newshosting.com!news-out.readnews.com!transit3.readnews.com!panix!not-for-mail
From: Grant Edwards <invalid@invalid.invalid>
Newsgroups: comp.lang.python
Subject: Re: Yet another attempt at a safe eval() call
Date: Fri, 4 Jan 2013 16:16:09 +0000 (UTC)
Organization: PANIX Public Access Internet and UNIX, NYC
Lines: 32
Message-ID: <kc6v89$sp5$1@reader1.panix.com>
References: <kc541v$3e4$1@reader1.panix.com> <50e6891c$0$30003$c3e8da3$5496439d@news.astraweb.com> <kc6tu3$s34$1@reader1.panix.com> <mailman.87.1357315539.2939.python-list@python.org>
NNTP-Posting-Host: dsl.comtrol.com
X-Trace: reader1.panix.com 1357316169 29477 64.122.56.22 (4 Jan 2013 16:16:09 GMT)
X-Complaints-To: abuse@panix.com
NNTP-Posting-Date: Fri, 4 Jan 2013 16:16:09 +0000 (UTC)
User-Agent: slrn/pre1.0.0-18 (Linux)
X-Received-Bytes: 2197
Xref: csiph.com comp.lang.python:36117

On 2013-01-04, Michael Torrie <torriem@gmail.com> wrote:
> On 01/04/2013 08:53 AM, Grant Edwards wrote:
>> That's obviously the "right" thing to do.  I suppose I should figure
>> out how to use the ast module.  
>
> Or PyParsing.
>
> As for your program being "secure" I don't see that there's much to
> exploit.

There isn't.

> You're not running as a service, and you're not running your
> assembler as root, called from a normal user.  The user has your code
> and can "exploit" it anytime he wants.

I'm just trying to prevent surprises for people who are running the
assembler.  We have to assume that they trust the assembler code to
not cause damage intentionally.  But, one would not expect them to
have to worry that assembly language input fed to the assembler code
might cause some sort of collateral damage.

Sure, I can change the source code for gcc so that it wreaks havok
when I invoke it.  But, using the stock gcc compiler there shouldn't
be any source file I can feed it that will cause it to mail my bank
account info to somebody in Eastern Europe, install a keylogger, and
then remove all my files.

-- 
Grant Edwards               grant.b.edwards        Yow! I have a TINY BOWL in
                                  at               my HEAD
                              gmail.com