If you are calling eval() on a user-provided string you should assume
they can run arbitrary code with the permissions of the webserver.
This almost certainly means anyone with edit access can delete the
Trac site, and probably do plenty of more subtly evil things. If you
wouldn't give every one of your users root on the Trac machine, don't
do this. If you want to make a single calculation system, PyParsing
has one as an example.
--Noah
On Feb 19, 2010, at 5:04 AM, W. Martin Borgert wrote:
On 2010-02-18 16:01, Noah Kantrowitz wrote:
Trac-hacks would be the place for this, or just post it to PyPI.
Yes, I will put it on Trac-hacks, but I'm interested in feedback
(esp. about security implications) first.
--
You received this message because you are subscribed to the Google
Groups "Trac Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to [email protected]
.
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en
.
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/trac-users?hl=en.
