Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!aioe.org!news-transit.tcx.org.uk!rt.uk.eu.org!newsfeed.xs4all.nl!newsfeed5.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.020 X-Spam-Evidence: '*H*': 0.96; '*S*': 0.00; 'exec': 0.07; 'received:209.85.160.174': 0.09; 'received:mail- gy0-f174.google.com': 0.09; 'subject:string': 0.09; '10:59': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'padded': 0.16; 'subject:creation': 0.16; 'subject:variable': 0.16; 'wrote:': 0.18; 'dec': 0.22; 'header:In-Reply-To:1': 0.22; 'message-id:@mail.gmail.com': 0.28; 'pm,': 0.29; 'strings,': 0.30; 'list': 0.32; 'received:209.85.160': 0.33; 'fri,': 0.34; 'to:addr :python-list': 0.34; 'probably': 0.34; 'received:google.com': 0.37; 'think': 0.37; 'steven': 0.38; 'received:209.85': 0.38; 'subject:from': 0.38; "it's": 0.40; 'received:209': 0.40; 'to:addr:python.org': 0.40; '2011': 0.61; '(4)': 0.64; 'dangerous': 0.64; 'here.': 0.66; 'safe': 0.70 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=IjG3+C/T9UugeygNopkjH06d/WhdJXy4t1QVyMzw0cI=; b=AI4bRL0Lm45HeF+nuWDshxUX4Sy3/4Yas/kMmeX4s8rYGoet4V7cZPCYwAq+VvywIy xU6xUpfDEcWQvDgtZ89eoXr1EcVRV4IeI9MLSOLUDGiQUyNATXWumjUVswKceAltFevu /e502PVpOVEKC0d9UL4/17pNbapjB6uoh0yfA= MIME-Version: 1.0 In-Reply-To: <4ee1f814$0$29977$c3e8da3$5496439d@news.astraweb.com> References: <4edffed8$0$29988$c3e8da3$5496439d@news.astraweb.com> <8ebfe32c-46a5-4bdc-a853-018d7f72d3d3@y18g2000yqy.googlegroups.com> <4ee1f814$0$29977$c3e8da3$5496439d@news.astraweb.com> Date: Fri, 9 Dec 2011 23:08:23 +1100 Subject: Re: Dynamic variable creation from string From: Chris Angelico To: python-list@python.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 11 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1323432507 news.xs4all.nl 6888 [2001:888:2000:d::a6]:56751 X-Complaints-To: abuse@xs4all.nl Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:16912 On Fri, Dec 9, 2011 at 10:59 PM, Steven D'Aprano wrote: > (4) If you think you can make exec safe with a prohibited list of > dangerous strings, you probably can't. If you think that it's even _possible_ to make exec safe with a blacklist, I have a nice padded cell for you over here. Security is NEVER achieved with blacklists, ONLY whitelists. ChrisA