Shihira
commented
6 years ago Yes and that's why it is just an example. Functionality and safety are something contrary and require trade-off. But an example is good to be simple and brute I think. Those who really need safety would choose some safe eval substitution as shown in http://docs.pwntools.com/en/stable/util/safeeval.html , and others would be responsible to what they have typed.
PS. safe eval doesn't mean real safety. You can still construct a forever loop there and crash the krunner. So actually there is no such thing called absolute safety in the world.
running res = eval(query)
on anything that example_calc.py
is getting is very dangerous. subprocess.
sth. like Popen(['/bin/bash', '-c', " rmdir . "])
some folks don't want to eval.