commit 6a2974b8085d8fc64d714ac1e543318b88f51e31 Author: Damian Johnson atagar@torproject.org Date: Sat Jan 3 14:47:11 2015 -0800

Avoid dangerous input() call

Python3 wisely killed input() because it's risky, and renamed raw_input() to input(). This is great, but simply changing raw_input() to input() as 2to3 did means arbitrary code execution in python2, and breaks our interpreter. --- stem/interpreter/__init__.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/stem/interpreter/__init__.py b/stem/interpreter/__init__.py index f4fac8e..c96e11c 100644 --- a/stem/interpreter/__init__.py +++ b/stem/interpreter/__init__.py @@ -18,6 +18,7 @@ import sys

import stem import stem.connection +import stem.prereq import stem.process import stem.util.conf import stem.util.system @@ -125,7 +126,12 @@ def main(): while True: try: prompt = '... ' if interpreter.is_multiline_context else PROMPT - user_input = input(prompt) + + if stem.prereq.is_python_3(): + user_input = input(prompt) + else: + user_input = raw_input(prompt) + response = interpreter.run_command(user_input)

if response is not None: