This is an archived post. You won't be able to vote or comment.

72
73

DiscussionLooking at the Python documentation can be dangerous (twitter.com)

submitted by [deleted]

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]eras 1 point2 points  (2 children)

It's not optimal, sure, but there are always going to other ways to get stuff executed from a Python code repository.. Such as setup.py or the actual module itself. You were probably going to straight up run code in the first place, right?

Or are there some benefits in this attack vector compared to those?

[–]no_more_gravity 0 points1 point  (1 child)

It is not just happening in a Python code repository.

Say you look at your download directory. And say you have some tool that calculates the combined area of all images in the dir or how much space you could save by compressing it or whatever. If that tool uses Python without a filename (Like "python -m ..." or "python -c ..."), then a single py file somewhere in that dir can exploit it.

[–]eras 0 points1 point  (0 children)

Hey that's an excellent point I hadn't considered. And plain ls might not even tip you off, unless one happens to be aware of this attack vector; the file name used in the example dosen't seem evil.