> Using "setattr" to set attributes, where the attribute string > comes from an external source, can create a security hole. Remember > that you can override functions on an object, for that object only, > by setting an attribute. This offers the opportunity for an attack > similar to SQL injection. Think about what this can do to a parser > that has and calls a method "display" for each element: > > <element display='lambda x : subprocess.Popen("rm -r -f /")'> > > You are pwned.
Nope. You’d have to give setattr a function object, not a string. Regards _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com