On Fri, Nov 29, 2013 at 08:17:54PM -0500, richard kappler wrote:
> I have a script that makes use of the Google speech recognition API as
> follows:
[...]
> args = shlex.split(cmd)
> output,error = subprocess.Popen(args,stdout = subprocess.PIPE, stderr=
> subprocess.PIPE).communicate()
>
> if not error:
> a = eval(output)
A trivial typo here: the line a = eval(output) needs to be indented.
More importantly though, this is quite risky. You're downloading data
from the internet, then executing it as code. I really, really, really
hope you trust the source of that data. By eval()ing their code, you
give them complete and total control of your PC -- anything you can do,
they can do.
It's not just *them* that you have to trust, but anyone in the world who
manages to compromise their server or the communication channel between
them and you.
How safe do you feel?
> ERROR:
> Traceback (most recent call last):
> File "inga.py", line 146, in <module>
> confidence= a['hypotheses'][0]['confidence']
> IndexError: list index out of range
>
> If I understand it correctly, the traceback is telling me that there is no
> position [0] in my list, but I don't understand how that can be true. I'm
> not using the variable "confidence" anywhere else in the program.
It's not "confidence" that has no position 0, but a['hypotheses'],
whatever that is.
Start by printing a['hypotheses'] and seeing what it contains. My guess
is that it probably contains an empty list, [].
Here's another reason for avoiding eval(). Presumably a['hypotheses'] is
set by the code you download and then eval. That makes it completely
opaque -- you can't easily see what it is doing, and if it plays up, you
can't do anything about it. It's a complete black box that either works
or doesn't work.
What can we do about this? Well, if using eval() really is the only way
to do this, I'd say the risk is not worth it. That sort of gung-ho
attitude to security suggests that it's only a matter of time before the
source is hacked, and once they're hacked, anyone using it is vulnerable
too.
[Aside: This sort of crap really makes me angry -- code injection
vulnerabilities are one of the most common ways that viruses, spyware
and other malware get into people's computers, and Google should know
better than this. If Google actually recommend you use eval() to access
their service, that just demonstrates that the Speech Recognition team
don't give a monkey's toss for your security.]
In the meantime, you can start by printing the code before eval()'ing
it. That way at least we can see what it's supposed to be getting. Go
back to the lines:
if not error:
a = eval(output)
and change the block to:
print(output)
a = eval(output) # WARNING WARNING DANGER DANGER
print(a)
and then we can see what the code was supposed to do and what it
actually did. My guess is that it was working before, but you've
exceeded some limit on the number of requests per day, or possibly the
speech recognition can't make out any words so it just returns an empty
list.
[soapbox]
This is not aimed at you, you're a beginner and can be excused. But the
Google techs have NO EXCUSE. I am so effing sick of coders in the 21st
century who have no effing clue about even the most common-sense basics
of security. No wonder there are so many malware and viruses around.
Using eval here is like posting the keys to your house to some arbitrary
tradesperson you've never met with instructions "I'll be away all next
week, come around whenever you like and do whatever jobs you think need
doing." You damn well better trust them, AND the post office.
--
Steven
_______________________________________________
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor
