Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You should never assume any method of executing any attacker controlled code is safe, unless something explicitly calls that out and also has put Google-level amounts of effort into supporting that.


My interpreter only accepts print and addition to a predefined variable. Let the attackers print and count all they want.

The problem isn’t the execution, it’s the scope of what it means to “execute”.


Depending on the implementation, there might still be multiple bugs lurking, especially in input parsing




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: