generating method names 'dynamically'
Fredrik Lundh
fredrik at pythonware.com
Sun Jan 29 05:02:44 EST 2006
"Unknown" wrote:
> >> Well, I would normally do what you suggest, using parameters, but in
> >> the example at hand I have to have the method names as variables and
> >> the reason is that the whole thing will be run by apache using
> >> mod_python and the publisher handler. There a URL
> >> http://something.com/program2/Bob is mapped to the 'Bob' method of the
> >> file program2.py and I want to be able to have URL's with different
> >> names. I know I can solve this problem with parameters and functions
> >> and using the GET http method, but I would like to have pretty URL's
> >> without & and ? signs. I didn't want to ask this on the mod_python
> >> list because after all it's a pure python question.
> >
> > Ouch! This certainly seems like a possible security hole!
>
> I wouldn't think so, as long as Klass doesn't have /other/ methods - as
> long as it only has methods that are meant to be viewed externally.
> Which would probably not be the way one would ordinarily write the
> class, but if one knew one had to, one should be fine.
the security issue isn't "making arbitrary methods available from an
instance", the security issue is "using getattr to map URL fragments
to attribute accesses or method calls".
anyone doing this should study this security advisory (and the module
it talks about) carefully:
http://www.python.org/security/PSF-2005-001/
</F>
More information about the Python-list
mailing list