Original post: hachyderm.io (Mastodon)
this post was submitted on 21 Mar 2025
640 points (99.5% liked)
Programmer Humor
21809 readers
1775 users here now
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Probably, but if you're interpreting user inputs as raw code, you've got much much worse problems going on, lol.
[...]®ister=import os; os.system("sudo rm -rf /"); return TrueHey, that's my username too. Or it was going to be, while the site was still up.
What a coincidence!
I guess I'll wait for the site to come back, and see if it's still available...
It's the settiings file... It's probably supposed to only be written by the system admin.
A good place to put persistent malware. That's why when using docker images always mount as ro if at all possible.
It’s you can modify the settings file you sure as hell can put the malware anywhere you want
Every environment has plenty of good places to put persistent malware. Even if you run your docker images as ro.
Given the warning about capitalization, the best possible case is that they're using ast.literal_eval() rather than throwing untrusted input into
eval().Err, I guess they might be comparing strings to 'True' and are choosing to be really strict about capitalization for some reason.
Yeah. Maybe .to_lower() is really expensive in their environment, lol.
It's not User input, it's config file