configparser v/s file variables
Jim Lee
jlee54 at gmail.com
Thu Jun 28 13:58:36 EDT 2018
On 06/28/18 07:30, Grant Edwards wrote:
> I still maintain it's a bad idea to run arbitrary code found in
> user-edited config files.
>
> There may be cases where somebody has figured out how to muck with a
> config file that's shared among multiple users, or has tricked
> somebody into including something from an untrusted source in an
> include file.
>
> Or there could be users who don't know what they're doing and
> unwittingly type something harmful into a config file:
>
> bad_command = os.system("rm -rf ~/*")
>
> Yes, I know, users would never be that dumb...
>
I agree with you that it's a bad idea. I was pointing out that I look
at it from an input validation viewpoint rather than a security
viewpoint - that's all.
Absolute security isn't a solvable problem. It isn't even a technical
problem. But that's a discussion for another time...
-Jim
More information about the Python-list
mailing list