On 06/28/18 07:30, Grant Edwards wrote:
I still maintain it's a bad idea to run arbitrary code found in
user-edited config files.
There may be cases where somebody has figured out how to muck with a
config file that's shared among multiple users, or has tricked
somebody into including something from an untrusted source in an
include file.
Or there could be users who don't know what they're doing and
unwittingly type something harmful into a config file:
bad_command = os.system("rm -rf ~/*")
Yes, I know, users would never be that dumb...
I agree with you that it's a bad idea. I was pointing out that I look
at it from an input validation viewpoint rather than a security
viewpoint - that's all.
Absolute security isn't a solvable problem. It isn't even a technical
problem. But that's a discussion for another time...
-Jim
--
https://mail.python.org/mailman/listinfo/python-list
