Thursday, September 29, 2005
Python + input() fun
As written from the Python manual:
input([prompt])
Equivalent to eval(raw_input(prompt)). Warning: This function is not safe from user errors! It expects a valid Python expression as input; if the input is not syntactically valid, a SyntaxError will be raised. Other exceptions may be raised if there is an error during evaluation.
So, it simply evaluates incoming input, and will error if it does not comform to proper syntax. Have you ever logged into a server and got faced with a nologin script some admin wrote to remind you that money is owed on the account? or to request shell access?
If you put in: "import os; os.system('touch /tmp/peepee')", you will most likely see an ugly exception being rased:
Traceback (most recent call last):
File "", line 1, in ?
File "", line 1
import os; os.system('touch /tmp/peepee')
^
SyntaxError: invalid syntax
Lame! no spaces can be used in the evaluated code. Hmm. Ley's try a dynamic import: "__import__('os').system('touch /tmp/peepee')". Oh, that worked. I'm not sure wether or not the fact dynamic imports+executions are a feature or just some strange bug in input() but if imports of modules and executions were planned through input() it wouldn't have raised an exception on the attempts before. Unless, of course, it's some bug. ¶ 9/29/2005 08:31:00 PM
input([prompt])
Equivalent to eval(raw_input(prompt)). Warning: This function is not safe from user errors! It expects a valid Python expression as input; if the input is not syntactically valid, a SyntaxError will be raised. Other exceptions may be raised if there is an error during evaluation.
So, it simply evaluates incoming input, and will error if it does not comform to proper syntax. Have you ever logged into a server and got faced with a nologin script some admin wrote to remind you that money is owed on the account? or to request shell access?
If you put in: "import os; os.system('touch /tmp/peepee')", you will most likely see an ugly exception being rased:
Traceback (most recent call last):
File "
File "
import os; os.system('touch /tmp/peepee')
^
SyntaxError: invalid syntax
Lame! no spaces can be used in the evaluated code. Hmm. Ley's try a dynamic import: "__import__('os').system('touch /tmp/peepee')". Oh, that worked. I'm not sure wether or not the fact dynamic imports+executions are a feature or just some strange bug in input() but if imports of modules and executions were planned through input() it wouldn't have raised an exception on the attempts before. Unless, of course, it's some bug. ¶ 9/29/2005 08:31:00 PM