Menu
▾
▴
[Pythoncard-users] fwd: MIME-RPC plus eval() security holes
|
From: Kevin A. <al...@se...> - 2002-01-05 00:10:02
|
http://www.mime-rpc.com/ "Because sending simple stuff should be easy and sending complex stuff should be easy too." MIME-RPC could be relevant to some future PythonCard communication, so this is just to get it into our email archive. Mark Pilgrim did a nice piece on the security holes of the current implementation which is written in Python. http://diveintomark.weblogger.com/stories/storyReader$196 This is relevant to PythonCard because we also use eval() and exec() in the framework and in some if not all cases there are other safer ways to get the same results. At some point, a cleanup will be in order. Lately, One of the fixes I've been contemplating is a slight mod to the resource files, so we can just use plain imports. Basically, we just need to add a variable name. More on this issue later. I haven't worried about eval() and exec() too much in the past because anyone running PythonCard is no more vulnerable to attacks than they were after they installed Python on their system. We aren't dynamically downloading arbitrary modules and resource files from untrusted sites, so the same rules apply as any other piece of code on your desktop. ka |
