Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #97239 > unrolled thread
| Started by | jmp <jeanmichel@sequans.com> |
|---|---|
| First post | 2015-09-30 11:21 +0200 |
| Last post | 2015-10-02 13:49 +0200 |
| Articles | 4 — 3 participants |
Back to article view | Back to comp.lang.python
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: Create a .lua fle from Python jmp <jeanmichel@sequans.com> - 2015-09-30 11:21 +0200
Re: Create a .lua fle from Python Steven D'Aprano <steve@pearwood.info> - 2015-10-02 05:12 +1000
Re: Create a .lua fle from Python jmp <jeanmichel@sequans.com> - 2015-10-02 11:03 +0200
Re: Create a .lua fle from Python Stefan Behnel <stefan_ml@behnel.de> - 2015-10-02 13:49 +0200
| From | jmp <jeanmichel@sequans.com> |
|---|---|
| Date | 2015-09-30 11:21 +0200 |
| Subject | Re: Create a .lua fle from Python |
| Message-ID | <mailman.265.1443604877.28679.python-list@python.org> |
On 09/29/2015 07:28 PM, Peter Otten wrote:
> jmp wrote:
>> import bs4
>> import jinja2
>>
>> xml = """<cities>
>> <city>
>> <name>BuenosAires</name>
>> <temperature>30</temperature>
>> </city>
>> <city>
>> <name>Seatle</name>
>> <temperature>25</temperature>
>> </city>
>> </cities>"""
>>
>> lua_template = """
>> cities_temps ={
>> {%- for city, temp in cities.iteritems() %}
>> ["{{city}}"] = {{temp}},
>> {%- endfor %}
>> }"""
>>
>> xmlp = bs4.BeautifulSoup(xml, 'xml')
>> # from xml to python dictionary
>> data = {city.find('name').string:city.find('temperature').string for
>> city in xmlp.findAll('city')}
>> # from python dictionary to lua
>> print jinja2.Template(lua_template).render(cities=data)
>>
>>
>> will yield (python 2.7):
>>
>> cities_temps ={
>> ["BuenosAires"] = 30,
>> ["Seatle"] = 25,
>> }
>
> Is Ariel's xml file user-supplied? If so, how does your suggestion prevent
> the resulting lua script from executing arbitrary code?
It does not. Like it doesn't fulfill the millions of possible
requirements the OP could have written but did not. What if the OP want
a thread safe, super fast, multi core solution distributed on multiple
remote hosts ?
jm
[toc] | [next] | [standalone]
| From | Steven D'Aprano <steve@pearwood.info> |
|---|---|
| Date | 2015-10-02 05:12 +1000 |
| Message-ID | <560d85ba$0$1591$c3e8da3$5496439d@news.astraweb.com> |
| In reply to | #97239 |
On Wed, 30 Sep 2015 07:21 pm, jmp wrote: >> Is Ariel's xml file user-supplied? If so, how does your suggestion >> prevent the resulting lua script from executing arbitrary code? > > It does not. Like it doesn't fulfill the millions of possible > requirements the OP could have written but did not. What if the OP want > a thread safe, super fast, multi core solution distributed on multiple > remote hosts ? Then he should have said so. We are not *required* to guess every last requirement that somebody might have but didn't mention. But we do have a professional[1] duty of care to warn an *obvious beginner* that he may be introducing a serious security vulnerability into his code. [1] In the sense of a job well done, not in the sense of "I got paid money to write this shit". Think master craftsman, not interchangeable code monkey. -- Steven
[toc] | [prev] | [next] | [standalone]
| From | jmp <jeanmichel@sequans.com> |
|---|---|
| Date | 2015-10-02 11:03 +0200 |
| Message-ID | <mailman.330.1443776605.28679.python-list@python.org> |
| In reply to | #97300 |
On 10/01/2015 09:12 PM, Steven D'Aprano wrote: > On Wed, 30 Sep 2015 07:21 pm, jmp wrote: > >>> Is Ariel's xml file user-supplied? If so, how does your suggestion >>> prevent the resulting lua script from executing arbitrary code? >> >> It does not. Like it doesn't fulfill the millions of possible >> requirements the OP could have written but did not. What if the OP want >> a thread safe, super fast, multi core solution distributed on multiple >> remote hosts ? > > Then he should have said so. > > We are not *required* to guess every last requirement that somebody might > have but didn't mention. But we do have a professional[1] duty of care to > warn an *obvious beginner* that he may be introducing a serious security > vulnerability into his code. I agree with you and to some extend to Peter's answer, my solution is not safe but note that I didn't mean it to be nor did I claimed it was safe. What I disagree with, is the suggestion that I should provide a safe version of my solution, just in case the OP forgot to mention that he was going public with his application while a simple "beware this solution is not safe" would have sufficed. Safety is like speed optimization, you care about it only when it can be a problem. And the vast majority (there's a recent trolling thread about the equivalent percentage of vast majority if you want to have fun) of python code may run on trusted networks. Meaning it's probable you are wrong when assuming security of a python snippet is a concern. JM Note : becoming public on the internet is not even enough for security to be a concern. Consider the OP's request, someone around the world would need to be willing to hack into the OP's server, guess/find out that the xml is able to execute lua and then attack the server for a reason yet to be known. If the OP's name is google, yeah someone will want to do that. If you're a complete anonymous...
[toc] | [prev] | [next] | [standalone]
| From | Stefan Behnel <stefan_ml@behnel.de> |
|---|---|
| Date | 2015-10-02 13:49 +0200 |
| Message-ID | <mailman.336.1443786569.28679.python-list@python.org> |
| In reply to | #97300 |
jmp schrieb am 02.10.2015 um 11:03: > Safety is like speed optimization, you care about it only when it can be a > problem. And the vast majority (there's a recent trolling thread about the > equivalent percentage of vast majority if you want to have fun) of python > code may run on trusted networks. Meaning it's probable you are wrong when > assuming security of a python snippet is a concern. Writing code "for internal use only" is ok, but there is never a guarantee that some of that code won't be reused elsewhere, in an entirely different context. Or that someone comes up with the idea of adding a REST API frontend, now that there is a command line interface [1]. If that happens, I assure you that at least in some cases (be it the "vast majority" or not) there will be no thorough security audit up-front. Because, you know - it's code that works and is production proven already. Possibly for years and years, and through generations of employees, all experienced and trusted. What can possibly be wrong with such code? So, it's acceptable to write such code under certain conditions, but at least someone should leave a visible comment somewhere (as Peter rightfully did in this case) that the input is not safely validated, so that future generations of programmers can see immediately that a) security hasn't been a concern when writing it and b) the author was in fact not a complete moron, not knowing a bit about the basics of input validation. It really helps in trust building to find such comments from time to time. Stefan [1] mainframes on the Internet, anyone?
[toc] | [prev] | [standalone]
Back to top | Article view | comp.lang.python
csiph-web