[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Do I need a parser?

On 07/02/2019 12:47 PM, Thomas Jollans wrote:
> Obviously, as Cameron points out, using Python instead of a custom
> scripting language has security implications, that go with the increased
> power that the user has. 

I've always found this kind of thing to be a bit strange. I do
understand where Cameron was coming from, but still.  The python
interpreter itself will happily run any python program you give it, even
one that will erase all your files.  As well as compilers, or bash.  Yet
we don't often go around claiming that they are security issues.

As with all things, the security implications depend entirely on how the
program is running, who's running the program, and where the input is
coming from.  And this is where Cameron's warning comes into play.  I
guess where people get into trouble is when they have their nice little
python program that exec()'s a user's input file, and then they think,
hey that'd be cool to run this as a web service.  Whoops.  So maybe
better to avoid it in the first place.

> However, in a laboratory setting, where the users are scientists who
> have physical access to the machine anyway, I really don't think this
> is a concern. And the added flexibility may be worth a lot down the
> line!

It's not even a matter of physical access.  Any script can do anything
that the user can do.  I'm pretty sure python scripts cannot be setuid.
In these limited circumstances, I can't think of any security
implications other than the usual "don't run programs from people you
don't know."  Which is directed at the user, not the programmer.