Python 3.6: How to expand f-string literals read from a file vs inline statement
Steven D'Aprano
steve+comp.lang.python at pearwood.info
Fri Mar 23 14:19:22 EDT 2018
On Fri, 23 Mar 2018 10:39:05 -0600, Malcolm Greene wrote:
>> Perhaps it doesn't need to be said, but just to be sure: don't use eval
>> if you don't trust the people writing the configuration file. They can
>> do nearly unlimited damage to your environment. They are writing code
>> that you are running.
>
> Of course! Script and config file are running in a private subnet
Okay. So only users who have access to the private subnet can inject code
into your application. That covers a *lot* of ground:
"The private subnet is used by me and my wife, and we both have root on
the system and trust each other implicitly."
"The private subnet is used by five thousand really smart and technically
savvy but emotionally immature teens who are constantly trying to
escalate privileges and take over the system."
I always find it amusing when techies imagine that hackers on the
internet are the only security threat.
http://www.zdnet.com/article/the-top-five-internal-security-threats/
https://blog.trendmicro.com/most-data-security-threats-are-internal-
forrester-says/
> and both are maintained by a single developer.
And this is relevant to the security risk in what way?
--
Steve
More information about the Python-list
mailing list