Timeline for Converting binary to string, then back again using python
Current License: CC BY-SA 4.0
12 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jul 27, 2020 at 13:45 | vote | accept | Jarmund | ||
| Jul 27, 2020 at 13:33 | history | edited | Andras Deak -- Слава Україні | CC BY-SA 4.0 |
restructure to emphasize the _safe_ solution
|
| Jul 27, 2020 at 13:20 | comment | added | Andras Deak -- Слава Україні | It's alright, but we agree this is insecure, and too many people copy code blindly from SO :) Suggested reading for the safety aspect: nedbatchelder.com/blog/201206/eval_really_is_dangerous.html and stackoverflow.com/questions/1832940/… | |
| Jul 27, 2020 at 13:18 | history | edited | David | CC BY-SA 4.0 |
deleted 8 characters in body
|
| Jul 27, 2020 at 13:17 | comment | added | metatoaster |
The import is not needed; try eval('__import__("os").system') in the interactive console.
|
|
| Jul 27, 2020 at 13:17 | history | edited | David | CC BY-SA 4.0 |
Removed (another) unsafe method.
|
| Jul 27, 2020 at 13:16 | comment | added | David |
Oh yes... if I imported os then eval('os.system("some stuff")') can work!
|
|
| Jul 27, 2020 at 13:14 | comment | added | metatoaster |
There is a difference between eval and ast.literal_eval - eval is still not safe.
|
|
| Jul 27, 2020 at 13:13 | history | edited | David | CC BY-SA 4.0 |
added 30 characters in body
|
| Jul 27, 2020 at 13:10 | history | edited | David | CC BY-SA 4.0 |
Removed unsafe method.
|
| Jul 27, 2020 at 13:02 | comment | added | metatoaster |
Please don't do this. The context already given was that this data was sent over a socket - this strongly implies that the source of rsastring is untrusted and usage of exec will directly result in remote execution of untrusted code (a massive security vulnerability). As discussed in the comments, ast.literal_eval is the safe alternative that will not evaluate arbitrary code.
|
|
| Jul 27, 2020 at 12:54 | history | answered | David | CC BY-SA 4.0 |