updating local()
Jp Calderone
exarkun at divmod.com
Wed Oct 5 13:13:45 EDT 2005
On Wed, 5 Oct 2005 18:47:06 +0200, Sybren Stuvel <sybrenuse at yourthirdtower.com.imagination> wrote:
>Flavio enlightened us with:
>> Can anyone tell me why, if the following code works, I should not do
>> this?
>>
>> def fun(a=1,b=2,**args):
>>
>> print 'locals:',locals()
>> locals().update(args)
>> print locals()
>
>Because it's very, very, very insecure. What would happen if someone
>found a way to call that function? It could replace any name in the
>locals dictionary, including functions from __builtins__. In other
>words: probably the whole program could be taken over by other code by
>just one call to that function.
>
If I can call functions in your process space, I've already taken over your whole program.
Jp
More information about the Python-list
mailing list