Alternatives to XML?
Chris Angelico
rosuav at gmail.com
Thu Aug 25 01:46:07 EDT 2016
On Thu, Aug 25, 2016 at 3:33 PM, Frank Millman <frank at chagford.com> wrote:
> @Peter/Chris
> I don't understand - please explain.
>
> If I store the business rule in Python code, how do I prevent untrusted
> users putting malicious code in there? I presume I would have to execute the
> code by calling eval(), which we all know is dangerous. Is there another way
> of executing it that I am unaware of?
The real question is: How malicious can your users be?
If the XML file is stored adjacent to the Python script that runs it,
anyone who can edit one can edit the other. Ultimately, that means
that (a) any malicious user can simply edit the Python script, and
therefore (b) anyone who's editing the other file is not malicious.
If that's not how you're doing things, give some more details of what
you're trying to do. How are you preventing changes to the Python
script? How frequent will changes be? Can you simply put all changes
through a git repository and use a pull request workflow to ensure
that a minimum of two people eyeball every change?
ChrisA
More information about the Python-list
mailing list