On Wed, Apr 6, 2016 at 12:50 AM, Ian Kelly <ian.g.ke...@gmail.com> wrote: > Same here, although it looks to me like this approach could work. Or > I'm just not clever enough to see how it could be exploited.
Having been bitten in the past (our test box was compromised by python-list white hats within 20 minutes of the invitation being sent out), I would go with the second of your options. Nearly anything is vulnerable if it's permitted to execute arbitrary code; all it takes is a sufficiently smart operator. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
