Re: [jokosher-devel] Jokosher Security Vulnerability
- From: Laszlo Pandy <laszlok2 gmail com>
- To: John Green <john thegreens co uk>, Jokosher gnome <jokosher-devel-list gnome org>
- Subject: Re: [jokosher-devel] Jokosher Security Vulnerability
- Date: Wed, 27 Sep 2006 09:02:37 -0400
John Green wrote:
On Wednesday 27 September 2006 12:49, you wrote:
paramString = func[ func.find("(")+1 : func.rfind(")") ]
paramList = [eval(x) for x in paramString.split(",")]
getattr(target_object, func)(*paramList)
We still have to use eval(), but that's much safer right? Is there
anyway to do malicious things with eval()?
Well, I just tried your code with
func = "Move(os.remove('file'), 0.280000)"
and the os.remove got executed, so very probably. Couldn't we just use
float(). I know some of the params are ints but is there anywhere where this
matters?
I'm leaning towards having CommandManaged sent a function name and a
separate list of parameters to the undo stack, which can then be stored
in XML in their own tags under the <Command> tag. The XML will also save
their type so they can easily be restored without using eval(). We then
wouldn't have to parse anything from a string and we would just do:
getattr(self, func)(*listOfParams)
I'll see if there will be any problems with implementing this in
CommandManaged later tonight.
Laszlo
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]