|
Steve Christey Coley
@SushiDude
|
19. pro |
|
huh? no vuln here, assuming the code isn't set[ug]id! The user already has privileges to execute python code! It's just an undocumented API feature for other things invoking this program, nothing to see here ;-)
|
||
|
|
||
|
Natalie Silvanovich
@natashenka
|
19. pro |
|
Ha ha! It’s just a bad habit to get into, what if you’re loading the port from somewhere untrusted next time?
|
||
|
|
||
|
Tyrell Daniel Nelson
@TyrellDanielNe1
|
27. pro |
|
Perfectly acceptable use of eval.. In this case if you can input something that can cause damage, you could cause damage without eval as you would already have shell access.. It would be different if you were processing input from a client over the network like this
|
||
|
|
||
|
Natalie Silvanovich
@natashenka
|
27. pro |
|
The problem is that they’re teaching people who often don’t know much about python to use eval to convert integers without context
|
||
|
|
||
|
Baa.
@secgoat
|
19. pro |
|
Explanation: pic.twitter.com/uzWp8FNx9P
|
||
|
|
||
|
badidea 💫
@0xabad1dea
|
18. pro |
|
w—
why would—
|
||
|
|
||
|
Daniel Carosone ⬡ 🇸🇪 🇮🇹 🇦🇺
@redtwitdown
|
19. pro |
|
I assume it's some YOLO "parse as number" shorthand that "everyone knows" is just for demo purposes and you're only supposed to learn from the important parts of that demo
|
||
|
|
||
|
Seif ElSallamy
@SeifElsallamy
|
18. pro |
|
*copying and pasting the code to my remote nuclear reactor app*
|
||
|
|
||
|
Ming Chow
@0xmchow
|
19. pro |
|
There’s a reason why I have a CTF challenge that involves eval() in my class.
|
||
|
|
||
|
Jann Horn
@tehjh
|
19. pro |
|
svn.python.org/projects/pytho… knows how to do it properly
|
||
|
|
||