On 03/12/2013 12:05 AM, Michael Torrie wrote:
On 03/11/2013 06:48 PM, Dave Angel wrote:
I hope you're just kidding. execfile() and exec() are two of the most
dangerous mechanisms around. import or __import__() would be much
better, as long as your user hasn't already run myapp.py as his script.
It's not possible to setuid a python script, so I don't see how execfile
or exec is any more dangerous than the user creating a shell script that
rm -rf * things, and then running it.
Bash "exec's" scripts all the time that users create and provide. How
is this different and what issues did you have in mind, exactly?
Mainly that exec and execfile are a slippery slope for a new programmer.
Once as they get it in their minds that this is the way to do things,
they'll soon fall into using one of them on raw_input() data, on network
data, and on other untrusted sources.
--
DaveA
--
http://mail.python.org/mailman/listinfo/python-list
