On 06/27/2018 12:15 PM, Jim Lee wrote:
On 06/27/18 11:45, Abdur-Rahmaan Janhangeer wrote:
and that closes it,
thanks !!!
Abdur-Rahmaan Janhangeer
https://github.com/Abdur-rahmaanJ
Importing variables from a file is dangerous because it can execute
arbitrary code. It should never be done with files provided by the
user.
Using configparser is far, far safer.
It seems a bit silly to me to worry about arbitrary code execution in
an interpreted language like Python whose default runtime execution
method is to parse the source code directly. An attacker would be far
more likely to simply modify the source to achieve his ends rather than
try to inject a payload externally.
These days, "execute arbitrary code" implies a deliberate attack. Now,
if you used input validation as an argument, I would agree that
configparser is, if not safer, easier.
-Jim
Not at all. Because if you're assuming a malicious user (who wasn't the
one to install it), then you're assuming a multi-user environment. In
which case the malicious user wouldn't have modify access to the code,
unless your program says "Hey, Mal E. Factor, why don't you run your
arbitrary code in my environment?"
--
Rob Gaddi, Highland Technology -- www.highlandtechnology.com
Email address domain is currently out of order. See above to fix.
--
https://mail.python.org/mailman/listinfo/python-list
