5

"In Python 3, exec is a function; its use has no effect on the compiled bytecode of the function where it is used."

Found in a stackoverflow post.

So wait, you mean to say, you could hide code in a pyc file or am I mistaken?

How is this not a security concern?

Comments
  • 8
    Python is such a clusterfuck. The only reason why it is so popular is because all the script-kiddies use it.
  • 4
    @sariel it really is a clusterfuck. It's the new BASIC.

    Just simple enough to be dangerous.

    Its why I love it lol.
  • 4
    So what exactly is the problem here? Calling exec will result in "function call to exec" in the pyc.
    And wether a pyc and a py actually is not "really" checked anyway (besides a "recompile when the oy one changed")

    By the way, a call to exec should trigger an audit hook at runtime.
  • 4
    What the SO poster likely wants to express: There is no dedicated opcode for exec anymore.

    On Python 2, it was called with "EXEC_STMT" whereas Python 3 uses "CALL_FUNCTION" with "LOAD_NAME n (exec)" before.

    Image for Python 3 is attached.
  • 2
    Lol. Secure Python
  • 2
    @sariel Ignition uses it (well jython) to control whole factories. Of course they just put javascript on a space station or something. So yeah...
  • 2
    @Demolishun what did they use it on, the space toilet?

    Must be why it's always fucking broken.
  • 4
    Is Python even expected to be secure? I was always under the impression it was there to get up and running quickly to test an idea and then you dump it as quick as you can for a proper implementation.
  • 2
    @NikhilM42 problem is most jr's don't get past the concept part of any new project and dive head first into the shallow end of the security pool.

    Then you have product managers that hogtie the sr's hands behind their backs with the mountains of made-up bullshit with zero requirements.

    And finally, the execs at the top bemoan and bitch about how nobody can do their fucking jobs in all this chaos, so let's fire the lot of them and make MORE chaos!
  • 6
    @NikhilM42 The question always is "secure against what" - if someone can write to files loaded (executed) at program start, it is always "over", no matter what programming language.
  • 0
    @NikhilM42 Python is perfectly capable of running in production securely just as much as another language is. Hell you can secure PHP if you try enough.

    I would say C and C++ have more CVEs total than python code bases because of memory management issues.
  • 1
    @lungdart it also helps that C and C++ are used in almost every language, so the impacts are far more impressive.
Add Comment