Tim Johnson wrote:
consider the following console session:
L = ['foo','bar']
locals()[L[0]] = L[1]
[...]
(2) Even if it did work, do you trust the source of the text? Taking
external data provided by arbitrary untrusted users and turning it into
variables is a good way to have your computer owned by bad guys.
Say what? I'm not talking about anything accessible by "arbitrary
users". Sorry if I gave that impression!
No need to apologise, but you were talking about injecting variables
straight into your code from a file, which has to come from *somewhere*.
It's not a big leap to ask whether you trust the source of that file. If
it comes from *you*, then presumably you trust yourself. (If you can't
trust yourself, you have more problems than just code injection
attacks...) You asked for comments, and I gave them :)
But be careful -- code has a way of ending up used in different
circumstances than it originally was created for. What starts off
reading a config file you write yourself ends up accepting data uploaded
to your web server by anonymous users in Bulgaria :)
--
Steven
_______________________________________________
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor
