configparser v/s file variables
Grant Edwards
grant.b.edwards at gmail.com
Wed Jun 27 15:40:31 EDT 2018
On 2018-06-27, Jim Lee <jlee54 at gmail.com> wrote:
> It seems a bit silly to me to worry about arbitrary code
> execution in an interpreted language like Python whose default
> runtime execution method is to parse the source code directly.
Maybe it's not a deliberate attack. Good application design is also
about preventing accidents.
> An attacker would be far more likely to simply modify the source to
> achieve his ends rather than try to inject a payload externally.
That's true if the user has write permission for the program itself.
That's not how applications are usually installed (at least not on the
OSes I use).
> These days, "execute arbitrary code" implies a deliberate attack.
Perhaps I should have phrased it differently: I didn't mean to
restrict my comments to a deliberate attack.
> Now, if you used input validation as an argument, I would agree that
> configparser is, if not safer, easier.
And it doesn't require that the end user have any knowlege of Python
syntax or sematics.
--
Grant Edwards grant.b.edwards Yow! ... I want FORTY-TWO
at TRYNEL FLOATATION SYSTEMS
gmail.com installed within SIX AND A
HALF HOURS!!!
More information about the Python-list
mailing list