[Tutor] Initialize values from a text input file
Steven D'Aprano
steve at pearwood.info
Tue Jan 4 14:27:33 CET 2011
Tim Johnson wrote:
>>> consider the following console session:
>>>>>> L = ['foo','bar']
>>>>>> locals()[L[0]] = L[1]
[...]
>> (2) Even if it did work, do you trust the source of the text? Taking
>> external data provided by arbitrary untrusted users and turning it into
>> variables is a good way to have your computer owned by bad guys.
> Say what? I'm not talking about anything accessible by "arbitrary
> users". Sorry if I gave that impression!
No need to apologise, but you were talking about injecting variables
straight into your code from a file, which has to come from *somewhere*.
It's not a big leap to ask whether you trust the source of that file. If
it comes from *you*, then presumably you trust yourself. (If you can't
trust yourself, you have more problems than just code injection
attacks...) You asked for comments, and I gave them :)
But be careful -- code has a way of ending up used in different
circumstances than it originally was created for. What starts off
reading a config file you write yourself ends up accepting data uploaded
to your web server by anonymous users in Bulgaria :)
--
Steven
More information about the Tutor
mailing list