1 24-EvilEval

Previous: 23-Regex.html

1.1 Command injection

1.2 Screencasts

• Password for the Vimeo videos is in Zulip chat.
• https://vimeo.com/488857742
• Tip: If anyone want to speed up the lecture videos a little, inspect the page, go to the browser console, and paste this in:
  document.querySelector('video').playbackRate = 1.2

1.3 Python: Evil Eval, Exec, Compile, System calls

Allowing the user to input something that gets executed as code is a bad idea!
* https://docs.python.org/3/library/functions.html#eval
* https://docs.python.org/3/library/functions.html#exec
* https://realpython.com/python-eval-function/
* https://hackernoon.com/10-common-security-gotchas-in-python-and-how-to-avoid-them-e19fbe265e03
* https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html
* https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html
* https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
* https://lucumr.pocoo.org/2011/2/1/exec-in-python/

1.3.1 Code

24-EvilEval/evil_stuff.py

1.4 Bash eval and exec

https://unix.stackexchange.com/questions/296838/whats-the-difference-between-eval-and-exec

1.4.1 Code

24-EvilEval/evil_stuff.sh

../../Security/Content/14-MaliciousSoftware.html
../../Security/Content/17-DefensiveProgramming.html

Next: CompSci 1570 (../../ProgrammingCpp.html.html)