Python Search – eval(raw_input())

Note that a number of these seem to be from people including Python itself within their project [0]. (Arguably, this could also be considered a mistake.) Python 2 defines the input() built-in, which is documented as:<p>&gt;input([prompt]) -&gt; value<p>&gt;Equivalent to eval(raw_input(prompt)).<p>Github is turning up these results because that bit of Python is inside the C code as a string documenting the function.<p>Python 3 does not evaluate what&#x27;s passed to input(), however. To get the same effect, use eval(input()). [1]<p>[0]: Limiting it to C examples <a href="https://github.com/search?l=c&amp;q=%22eval%28raw_input%28%29%29%22&amp;ref=searchresults&amp;type=Code" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;search?l=c&amp;q=%22eval%28raw_input%28%29%29...</a><p>[1]: <a href="https://docs.python.org/3.0/whatsnew/3.0.html#builtins" rel="nofollow">https:&#x2F;&#x2F;docs.python.org&#x2F;3.0&#x2F;whatsnew&#x2F;3.0.html#builtins</a>

Is evaling raw_input really that dangerous?<p>We are not evaling something from a file, or from an internet connection. We are evaling something typed in at the keyboard.<p>Assuming your python isn&#x27;t setuid root, anyone at the keyboard could just open a new terminal, type &#x27;python&#x27;, and start evaling raw_input as much as they like.

While this is obviously a bad practice in any production codebase, this all looks like &quot;learning python&quot; kind of code, where confusing people with security implications isn&#x27;t really going to help anything.<p>Besides, this isn&#x27;t even low hanging fruit. If you want to really find some terrifying github contents, try to think of a library that is used to access the TTY, say to enter passphrases for ssh&#x2F;telnet&#x2F;mount&#x2F;sudo&#x2F;etc. in a PRODUCTION environment. Then think how it&#x27;s api would be used, and search for that. Example below: using expect to enter passphrases:<p>Example:<p><a href="https://github.com/search?q=+expect+send+root+ssh&amp;type=Code&amp;ref=searchresults" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;search?q=+expect+send+root+ssh&amp;type=Code&amp;...</a><p>There is a ton of low hanging fruit out there.

I use something like that in one of my programs, it&#x27;s more or less like a hacky repl (well, without the loop part). It isn&#x27;t a vulnerability in any way either, since it&#x27;s just the user running the code in his computer.

In python 2.x input() is equivalent to eval(raw_input()) which could have something to do with seeing this so much. The first result is a docstring that says literally this..

My attempt at an advanced search suggests none of them have any stars, so maybe I&#x27;m doing it wrong? Someone better at github search wanna give a go? I&#x27;m curious what the more popular projects in this list might be, or if it&#x27;s just all people&#x27;s local hack scripts.

Seems like a cheap shot since you should probably know that Python 2 has a builtin called input() that does the same thing; it would be more likely to be used than your combination.

Would be nice to get a website referencing all those &quot;dorks&quot;. Interesting.

Bad programmers will code bad in any language. Language change won&#x27;t help.