Horrible security flaw in cmd.py

[kahrkunne]

In cmd.py, line 201 says "out = eval(userInput)". This is an enormous security flaw, to the point where, if you are using cmd.py as cmd for lighthouse, even typing "os.system('rm -rf *')" in the window, without pressing enter, will delete all your files. ==SO DON'T DO THIS==

Being able to run an arbitrary command just by typing it is really horrible. Code shouldn't be executed just by typing it, and this is unlike any other behaviour in lighthouse.

[cicku]

Time to start a new debate around noob level of users? 😂

[emgram769]

this is a good point, it really should only execute when a specific key is hit.
any suggestions for alternative interfaces kahrkunne? perhaps something like eval this part?

[kahrkunne]

Something like "eval" would be fine, yeah. It doesn't really matter what it is anyways, what matters is that it doesn't excecute arbitrary code just by typing it.

This is one of those cases where a liability waiver could actually prove to be useful. Seriously though, consider adding a license.

[emgram769]

added a license file

@kahrkunne if you check out the modules branch, the file config/lighthouse/modules/MathModule.py should resolve the issue of evaluating code. this branch will be merged to master hopefully soon