[Tutor] best way to dynamically set class variables?

Thu Nov 8 11:34:35 EST 2018

An interesting discussion that is outside the scope of a group like this is
HOW malicious things can be done and perhaps how to avoid them.

Obviously some contexts are totally uncontrolled. If you write a
"calculator" that asks the user to type in an arbitrary string like
"2*(3+5)" or "sin(30)" and execute that string and show the result, then
they can slip in anything like a shell command to reformat the hard disk.

What can you do to minimize risks in such situations? Obviously you might
want to scan the string before executing and look for things like carriage
returns and semi-colons that might be used to add continuation commands
beyond what is asked for. You might limit the length of the string. You
might scan for keywords like def and lambda. But note that a cursory scan
like that has false positives as well as false negatives. You might
recognize something within a character string context that is harmless or
you might reject a valid SQL query because it used a word you disallow that
is actually a harmless name of a data column.

And, realistically, Python has so many ways to get around things that it
gets silly. Given some room and ingenuity, you can create code that
assembles individual characters and then executes them into a program so a
scan may not reveal anything.

Heck, if you can simply create a module on the disk somewhere, all you need
to do is insert enough code to IMPORT the file and you can do pretty much
anything. If asked to enter a calculator entry, for example, and you simply
say:

5+3;import mymodule

You then have an exec("5+3;import mymodule")

Some such things may generate an error but only after the side effect is
done.

Python code is often wide open, by design, so subtle messing with internals
is easy. As an example, you can change the search path for modules with an
assignment statement and then any subsequent call for importing a named
module gets the one you substituted.

So, yes, executing random code can be dangerous. But life is dangerous

-----Original Message-----
From: Tutor <tutor-bounces+avigross=verizon.net at python.org> On Behalf Of
Alan Gauld via Tutor
Sent: Thursday, November 8, 2018 5:52 AM
To: tutor at python.org
Subject: Re: [Tutor] best way to dynamically set class variables?

On 08/11/2018 07:46, Peter Otten wrote:

> By the way I don't think exec() is bad as long as you control its 
> input and as long as this input is fairly simple.

Yes, but reading arbitrary column names from a database is not exactly
controlled input...

--
Alan G
Author of the Learn to Program web site
http://www.alan-g.me.uk/
http://www.amazon.com/author/alan_gauld
Follow my photo-blog on Flickr at:
http://www.flickr.com/photos/alangauldphotos

_______________________________________________
Tutor maillist  -  Tutor at python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor