• Create Account

### #Actualthok

Posted 25 April 2013 - 08:15 AM

Oh, yes. It's eval. I forgot about their difference.

About the command_map, I actually have been thinking about that before. Using dictionary and check if the thing is in the dictionary. So, my assumption is right? The type of data sent between client and server is the instruction and the arguments needed? I have never coded any server stuff before, and I couldn't find such information in the Internet. I just used my own logic, which is questionable.

Yes, pretty much. You need to figure out a clean way to pack 1) the instruction name and 2) the arguments on the client side, and a way to unpack them properly on the server side. A simple way to do this would be to encode this in JSON; that may not be terribly efficient, but it's a simple place to start. Python has standard libs for encoding and decoding JSON: http://docs.python.org/2/library/json.html.

Can you please explain a little more about the reason why I must be careful while using eval? I feel like it's rather risky, but I'm not sure why. I guess I'm just paranoid.

P.S. I just read an article about being careful with eval, but I don't really understand the namespace thingy.

Two words: "code injection". http://en.wikipedia.org/wiki/Code_injection

If you use eval to execute an arbitrary instruction, it is possible that a client could, for example, send the instruction name '__import__("sys").exit()' as a string, which would crash the server process once eval executes it. If the server process is being run as superuser (which it shouldn't be), technically this security hole could result in the server box getting completely 0wnz3d. If you're using an eval in a program which runs in isolation on a single machine and never hits the network, probably you don't need to care. But once you open the program up to a network and, more importantly, provide a server interface _directly_ to an eval, you do need to be careful.

Regardless of the security risks, there are almost always better alternatives to eval. In your case, using an explicitly defined map of instructions is one of those alternatives.

eval for Python is kind of like goto for C: Just because you CAN use it doesn't necessarily mean you SHOULD. =P

### #1thok

Posted 25 April 2013 - 08:15 AM

Oh, yes. It's eval. I forgot about their difference.

About the command_map, I actually have been thinking about that before. Using dictionary and check if the thing is in the dictionary. So, my assumption is right? The type of data sent between client and server is the instruction and the arguments needed? I have never coded any server stuff before, and I couldn't find such information in the Internet. I just used my own logic, which is questionable.

Yes, pretty much. You need to figure out a clean way to pack 1) the instruction name and 2) the arguments on the client side, and a way to unpack them properly on the server side. A simple way to do this would be to encode this in JSON; that may not be terribly efficient, but it's a simple place to start. Python has standard libs for encoding and decoding JSON: http://docs.python.org/2/library/json.html.

Can you please explain a little more about the reason why I must be careful while using eval? I feel like it's rather risky, but I'm not sure why. I guess I'm just paranoid.

P.S. I just read an article about being careful with eval, but I don't really understand the namespace thingy.

Two words: "code injection". http://en.wikipedia.org/wiki/Code_injection

If you use eval to execute an arbitrary instruction, it is possible that a client could, for example, send the instruction name '__import__("sys").exit()' as a string, which would crash the server process. If the server process is being run as superuser (which it shouldn't be), technically this security hole could result in the server box getting completely 0wnz3d. If you're using an eval in a program which runs in isolation on a single machine and never hits the network, probably you don't need to care. But once you open the program up to a network and, more importantly, provide a server interface _directly_ to an eval, you do need to be careful.

Regardless of the security risks, there are almost always better alternatives to eval. In your case, using an explicitly defined map of instructions is one of those alternatives.

eval for Python is kind of like goto for C: Just because you CAN use it doesn't necessarily mean you SHOULD. =P

PARTNERS