

Python Search – eval(raw_input()) - Nurdok
https://github.com/search?p=8&q=%22eval%28raw_input%28%29%29%22&ref=searchresults&type=Code

======
alecdbrooks
Note that a number of these seem to be from people including Python itself
within their project [0]. (Arguably, this could also be considered a mistake.)
Python 2 defines the input() built-in, which is documented as:

>input([prompt]) -> value

>Equivalent to eval(raw_input(prompt)).

Github is turning up these results because that bit of Python is inside the C
code as a string documenting the function.

Python 3 does not evaluate what's passed to input(), however. To get the same
effect, use eval(input()). [1]

[0]: Limiting it to C examples
[https://github.com/search?l=c&q=%22eval%28raw_input%28%29%29...](https://github.com/search?l=c&q=%22eval%28raw_input%28%29%29%22&ref=searchresults&type=Code)

[1]:
[https://docs.python.org/3.0/whatsnew/3.0.html#builtins](https://docs.python.org/3.0/whatsnew/3.0.html#builtins)

------
CJefferson
Is evaling raw_input really that dangerous?

We are not evaling something from a file, or from an internet connection. We
are evaling something typed in at the keyboard.

Assuming your python isn't setuid root, anyone at the keyboard could just open
a new terminal, type 'python', and start evaling raw_input as much as they
like.

~~~
bananas
Doesn't that depend on what's connected to stdin?

~~~
dec0dedab0de
is raw_input the same as stdin? I don't think you can pipe other programs into
it.

~~~
eurleif
>is raw_input the same as stdin?

Yes.

$ echo foo | python -c 'print raw_input()[::-1]'

oof

~~~
dec0dedab0de
Upvoted. I guess I was thinking more along the lines of one shouldn't use
raw_input() when you're expecting a pipe since it only takes one line.

    
    
        $ ps | python -c 'print raw_input()'
          PID TTY          TIME CMD
    

But I suppose you could just loop to get around that anyway.

------
Rantenki
While this is obviously a bad practice in any production codebase, this all
looks like "learning python" kind of code, where confusing people with
security implications isn't really going to help anything.

Besides, this isn't even low hanging fruit. If you want to really find some
terrifying github contents, try to think of a library that is used to access
the TTY, say to enter passphrases for ssh/telnet/mount/sudo/etc. in a
PRODUCTION environment. Then think how it's api would be used, and search for
that. Example below: using expect to enter passphrases:

Example:

[https://github.com/search?q=+expect+send+root+ssh&type=Code&...](https://github.com/search?q=+expect+send+root+ssh&type=Code&ref=searchresults)

There is a ton of low hanging fruit out there.

------
cosarara97
I use something like that in one of my programs, it's more or less like a
hacky repl (well, without the loop part). It isn't a vulnerability in any way
either, since it's just the user running the code in his computer.

~~~
dsl
Said every author of a security bug ever.

Edit: Not sure why I got downvoted. Developer #1 writes script that prompts
technical user for input expecting (as parent did) that stdin will be a local
console. Developer #2 later wraps script with a web form so sales/marketing
can access the tool as well.

[https://www.owasp.org/index.php/Don't_trust_user_input](https://www.owasp.org/index.php/Don't_trust_user_input)

~~~
adamnemecek
I guess the attack vector of you exploiting your own computer is very real. /s

------
Igglyboo
In python 2.x input() is equivalent to eval(raw_input()) which could have
something to do with seeing this so much. The first result is a docstring that
says literally this..

------
famousactress
My attempt at an advanced search suggests none of them have any stars, so
maybe I'm doing it wrong? Someone better at github search wanna give a go? I'm
curious what the more popular projects in this list might be, or if it's just
all people's local hack scripts.

------
kzrdude
Seems like a cheap shot since you should probably know that Python 2 has a
builtin called input() that does the same thing; it would be more likely to be
used than your combination.

------
PaulSec
Would be nice to get a website referencing all those "dorks". Interesting.

~~~
moloch
Here you go "CodeSearchDiggity":
[http://www.bishopfox.com/resources/tools/google-hacking-
digg...](http://www.bishopfox.com/resources/tools/google-hacking-
diggity/attack-tools/)

------
daGrevis
Bad programmers will code bad in any language. Language change won't help.

~~~
daGrevis
I wanted to add that not always “eval(input())“ is a bad thing. It's the core
of REPL[0], for example.

[0]
[http://en.wikipedia.org/wiki/Read%E2%80%93eval%E2%80%93print...](http://en.wikipedia.org/wiki/Read%E2%80%93eval%E2%80%93print_loop)

