On Thursday, May 25, 2017 at 9:46:56 AM UTC+2, Aymeric Augustin wrote: > > I'm wary of possible security ramifications: if we do this, changing a > configuration value will import an arbitrary module, which could make it > easier to run arbitrary code in some scenarios. I don't have a clear threat > model in mind here, though. >
One possibility would be to use entrypoints in setuptools, this way 3rd party backends could specify a name which then has a fixed & verified import path. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/576a3961-6c84-4438-b434-4beaddab38b2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
