Re: [jokosher-devel] Jokosher Security Vulnerability

From: "Nick Murtagh" <nickmurtagh gmail com>
To: jokosher-devel-list gnome org
Subject: Re: [jokosher-devel] Jokosher Security Vulnerability
Date: Wed, 27 Sep 2006 11:52:52 +0100

On 9/27/06, John Green <john thegreens co uk> wrote:

Actually it's only the bit after the semi-colon that's the injected code. The
bit before has to just not fail with "object." in front of it. So bailing out
if a semi-colon is present should be enough I think. But like all these
things the danger is in what you haven't thought of yet.


exec is yucky.

Why not replace

   exec("target_object.%s"%func)

with

   getattr(target_object, func)()


There should probably be a try except around that in case target_object
is None or func isn't a method or target_object.

Follow-Ups:
- Re: [jokosher-devel] Jokosher Security Vulnerability
  - From: John Green
- [jokosher-devel] New undo syntax
  - From: Laszlo Pandy

References:
- [jokosher-devel] Jokosher Security Vulnerability
  - From: Laszlo Pandy
- Re: [jokosher-devel] Jokosher Security Vulnerability
  - From: Stuart Langridge
- Re: [jokosher-devel] Jokosher Security Vulnerability
  - From: John Green

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]