Simple explanation of security issues related to input() vs raw_input()

Question

I was reading this Python 2.7 tutorial and they're going over raw_input(), and it mentions that:

The input() function will try to convert things you enter as if they were Python code, but it has security problems so you should avoid it.

I tried Googling some explanations for this, but still a bit unclear to me; what's a simple explanation of the alleged inherent security issues with input() vs raw_input() ?

try creating an object as `a` and give it some input .Then use input() function to get user input from command line then just type `a` without quotes and print the value optained from user — The6thSense, Jul 02 '15 at 05:00

Anand S Kumar · Accepted Answer · 2015-07-02T06:02:27.720

9

The input() function in Python 2.x evaluates things before returning.

So as an example you can take a look at this -

>>> input("Enter Something : ")
Enter Something : exit()

This would cause the program to exit (as it would evaluate exit()).

Another example -

>>> input("Enter something else :")
Enter something else :__import__("os").listdir('.')
['.gtkrc-1.2-gnome2', ...]

This would list out the contents of current directory , you can also use functions such as os.chdir() , os.remove() , os.removedirs() , os.rmdir()

edited Jul 02 '15 at 06:02

answered Jul 02 '15 at 05:09

Anand S Kumar

88,551
18
188
176

1

Apparently this is no longer relevant as I can't reproduce it on python 3.7.2. – Hi-Angel Mar 21 '19 at 21:17

Simple explanation of security issues related to input() vs raw_input()

1 Answers1