Security considerations of execfile()

[Gordon McMillan]

Preston Landers wrote:
> 
> I'm thinking of using the execfile() built-in function in one my
> programs (Pagecast) and I'm wondering about some security
> considerations.
> 
> Basically, the program will execute all files with a certain
> extension in a certain directory as Python code. 
...
> My question is what kind of security, if any, does execfile()
> provide (my guess: none) and should I consider working with the
> rexec module?
...
Can't really say much about rexec (except I understand it's quite 
restrictive) 'cause I haven't used it.

I've used plain execfile without worry in a sort of similar 
situation, but only I (and root) could put things in the magic 
directory.

You can pass execfile a dictionary to use instead of globals. The 
trick is, though, that if the dict does NOT have something called 
"__builtins__" in it, Python will stick the real __builtins__ in 
there.

I'm not sure what kind of attack you're worried about. Personally, 
not being the paranoid type, I'd be inclined to use just OS security 
if I could. 

- Gordon