Simple explanation of security issues with input () vs raw_input ()

Question

Simple explanation of security issues with input () vs raw_input ()

I was reading this Python 2.7 tutorial and they go raw_input()

and it mentions that:

The input () function will try to convert whatever you enter as if it were Python code, but it has security issues so you should avoid doing that.

I tried a few explanations for this, but still a little unclear to me; what's a simple explanation for alleged internal security issues with input()

vs raw_input()

?

+3

python security input built-in

AdjunctProfessorFalcon 02 jul. At 4:51 am

source to share

1 answer

Anand s kumar · Accepted Answer · 2015-07-02T05:09:47+0000

A function input()

in Python 2.x evaluates things before returning.

So, as an example, you can take a look at this -

>>> input("Enter Something : ")
Enter Something : exit()

This will cause the program to exit (since it will evaluate exit ()).

Another example -

>>> input("Enter something else :")
Enter something else :__import__("os").listdir('.')
['.gtkrc-1.2-gnome2', ...]

This will display the contents of the current directory, you can also use functions such as os.chdir()

, os.remove()

, os.removedirs()

,os.rmdir()

Simple explanation of security issues with input () vs raw_input ()

More articles: