Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder4.news.weretis.net!rt.uk.eu.org!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.008 X-Spam-Evidence: '*H*': 0.98; '*S*': 0.00; 'bash': 0.07; 'exec': 0.07; 'scripts': 0.09; 'python': 0.09; '-rf': 0.09; 'script,': 0.09; 'subject:module': 0.09; "hasn't": 0.15; 'exactly?': 0.16; 'setuid': 0.16; 'sources.': 0.16; 'subject:accessing': 0.16; 'subject:created': 0.16; 'wrote:': 0.17; 'script.': 0.17; 'shell': 0.18; 'import': 0.21; 'script': 0.24; 'header:In-Reply-To:1': 0.25; 'header:User-Agent:1': 0.26; 'creating': 0.26; 'am,': 0.27; 'run': 0.28; 'mind,': 0.29; "they'll": 0.29; 'things,': 0.29; 'running': 0.32; 'to:addr:python-list': 0.33; 'data,': 0.35; 'pm,': 0.35; 'michael': 0.36; 'possible': 0.37; 'two': 0.37; 'subject:: ': 0.38; 'to:addr:python.org': 0.39; 'received:192': 0.39; 'received:192.168': 0.40; 'your': 0.60; 'most': 0.61; 'different': 0.63; 'more': 0.63; 'dangerous': 0.66; 'soon': 0.70; 'received:74.208': 0.71; 'slope': 0.84; 'angel': 0.93 Date: Tue, 12 Mar 2013 07:20:07 -0400 From: Dave Angel User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130221 Thunderbird/17.0.3 MIME-Version: 1.0 To: python-list@python.org Subject: Re: Running external module and accessing the created objects References: <513aecd3$0$6512$c3e8da3$5496439d@news.astraweb.com> <513E7B6B.5070608@davea.name> <513EA973.7000705@gmail.com> In-Reply-To: <513EA973.7000705@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:UvvHbqBFnt/MOh133egFwT5+rB6VXqkJr8lJoVbvLo8 HrpVVh2bhDhk77JSPcr4oa3K2nZxmthaYXuSzN0jnvfD1rGgKO B9bOa5qD9eY60HMlYvQRjJWSyR+h4iGqnD1yDyQEy+FVdgE8lY 2MDT0XlWBanTDiP/wh1DCKcZVusWdr5jFEN1RtsLzaFHGI/Hy/ lwqTqGQeK+LCn9EUcGmhFSP9rJX6F3PqH9fi039QXaZmossbLh tIsnno//NNSIFRBrVq6yeexdNV4ta3QNPHpzvX34wT5KlutH97 ep3uO//OIB1O3S00N7beCgpjKe70sAHngtmjQ/Cj7b8U4MFqg= = X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 22 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1363087228 news.xs4all.nl 6883 [2001:888:2000:d::a6]:59208 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:41114 On 03/12/2013 12:05 AM, Michael Torrie wrote: > On 03/11/2013 06:48 PM, Dave Angel wrote: >> I hope you're just kidding. execfile() and exec() are two of the most >> dangerous mechanisms around. import or __import__() would be much >> better, as long as your user hasn't already run myapp.py as his script. > > It's not possible to setuid a python script, so I don't see how execfile > or exec is any more dangerous than the user creating a shell script that > rm -rf * things, and then running it. > > Bash "exec's" scripts all the time that users create and provide. How > is this different and what issues did you have in mind, exactly? > Mainly that exec and execfile are a slippery slope for a new programmer. Once as they get it in their minds that this is the way to do things, they'll soon fall into using one of them on raw_input() data, on network data, and on other untrusted sources. -- DaveA