import from user input?
Christian Tismer
tismer at appliedbiometrics.com
Fri Apr 9 11:26:28 EDT 1999
Charles G Waldman wrote:
>
> Christian Tismer writes:
> >
> > import string
> > globals()[string.split(modname, ".")[0]] = __import__(modname)
> >
> > seems to do it better.
> >
>
> Why not just
>
> exec "import "+modname
See my former post.
It works for you and me, but if I have to be aware of
users trying things like
modname = "sys;sys.exit()"
to name a quite harmless idea, you would have more work to
prevend this than by a string which is no parsed command.
I think it's not clean to give the user full access to your
namespace and interpreter. Not if you are the user, of course.
But if you allow arbitrary strings to be executed, you are poking
a big hole into your software. How about
modname = "sys;None=5"
This was just a concern, which would more apply to Internet
CGI scripts. Using these concepts thoughtlessly with the proper
pickled string, would let your user break into your module
completely.
ciao - chris
--
Christian Tismer :^) <mailto:tismer at appliedbiometrics.com>
Applied Biometrics GmbH : Have a break! Take a ride on Python's
Kaiserin-Augusta-Allee 101 : *Starship* http://starship.python.net
10553 Berlin : PGP key -> http://wwwkeys.pgp.net
PGP Fingerprint E182 71C7 1A9D 66E9 9D15 D3CC D4D7 93E2 1FAE F6DF
we're tired of banana software - shipped green, ripens at home
More information about the Python-list
mailing list