configparser v/s file variables
Rob Gaddi
rgaddi at highlandtechnology.invalid
Wed Jun 27 15:36:53 EDT 2018
On 06/27/2018 12:15 PM, Jim Lee wrote:
>
>
> On 06/27/18 11:45, Abdur-Rahmaan Janhangeer wrote:
>> and that closes it,
>>
>> thanks !!!
>>
>> Abdur-Rahmaan Janhangeer
>> https://github.com/Abdur-rahmaanJ
>>
>> Importing variables from a file is dangerous because it can execute
>>> arbitrary code. It should never be done with files provided by the
>>> user.
>>>
>>> Using configparser is far, far safer.
>>>
>
> It seems a bit silly to me to worry about arbitrary code execution in
> an interpreted language like Python whose default runtime execution
> method is to parse the source code directly. An attacker would be far
> more likely to simply modify the source to achieve his ends rather than
> try to inject a payload externally.
>
> These days, "execute arbitrary code" implies a deliberate attack. Now,
> if you used input validation as an argument, I would agree that
> configparser is, if not safer, easier.
>
> -Jim
>
Not at all. Because if you're assuming a malicious user (who wasn't the
one to install it), then you're assuming a multi-user environment. In
which case the malicious user wouldn't have modify access to the code,
unless your program says "Hey, Mal E. Factor, why don't you run your
arbitrary code in my environment?"
--
Rob Gaddi, Highland Technology -- www.highlandtechnology.com
Email address domain is currently out of order. See above to fix.
More information about the Python-list
mailing list