SafeConfigParser can set unsafe values
Hamish Moffatt
hamish at cloud.net.au
Tue Jul 10 18:37:49 EDT 2007
SafeConfigParser is supposed to be safer than ConfigParser, but calling
set with a string value containing '%' generates exceptions when you
get() it back.
Python 2.5.1 (r251:54863, Apr 25 2007, 21:31:46)
[GCC 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import configparser
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ImportError: No module named configparser
>>> import ConfigParser
>>>
>>> x=ConfigParser.SafeConfigParser()
>>> x.add_section('test')
>>> x.set('test', 'a', 'hi%there')
>>> x.get('test', 'a')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.5/ConfigParser.py", line 525, in get
return self._interpolate(section, option, value, d)
File "/usr/lib/python2.5/ConfigParser.py", line 593, in _interpolate
self._interpolate_some(option, L, rawval, section, vars, 1)
File "/usr/lib/python2.5/ConfigParser.py", line 634, in _interpolate_some
"'%%' must be followed by '%%' or '(', found: %r" % (rest,))
ConfigParser.InterpolationSyntaxError: '%' must be followed by '%' or
'(', found: '%there'
ConfigParser does not do this:
>>> y=ConfigParser.ConfigParser()
>>> y.add_section('test')
>>> y.set('test', 'a', 'hi%there')
>>> y.get('test', 'a')
'hi%there'
Should SafeConfigParser.set() be escaping automatically?
Hamish
More information about the Python-list
mailing list