Simple explanation of security issues related to input() vs raw_input() [duplicate]

Question

I was reading this Python 2.7 tutorial and they're going over raw_input(), and it mentions that:

The input() function will try to convert things you enter as if they were Python code, but it has security problems so you should avoid it.

I tried Googling some explanations for this, but still a bit unclear to me; what's a simple explanation of the alleged inherent security issues with input() vs raw_input() ?

Answer 1

The input() function in Python 2.x evaluates things before returning.

So as an example you can take a look at this -

>>> input("Enter Something : ")
Enter Something : exit()

This would cause the program to exit (as it would evaluate exit()).

Another example -

>>> input("Enter something else :")
Enter something else :__import__("os").listdir('.')
['.gtkrc-1.2-gnome2', ...]

This would list out the contents of current directory , you can also use functions such as os.chdir() , os.remove() , os.removedirs() , os.rmdir()