Security considerations of execfile()
Gordon McMillan
gmcm at hypernet.com
Wed Sep 8 18:40:56 EDT 1999
Preston Landers wrote:
>
> I'm thinking of using the execfile() built-in function in one my
> programs (Pagecast) and I'm wondering about some security
> considerations.
>
> Basically, the program will execute all files with a certain
> extension in a certain directory as Python code.
...
> My question is what kind of security, if any, does execfile()
> provide (my guess: none) and should I consider working with the
> rexec module?
...
Can't really say much about rexec (except I understand it's quite
restrictive) 'cause I haven't used it.
I've used plain execfile without worry in a sort of similar
situation, but only I (and root) could put things in the magic
directory.
You can pass execfile a dictionary to use instead of globals. The
trick is, though, that if the dict does NOT have something called
"__builtins__" in it, Python will stick the real __builtins__ in
there.
I'm not sure what kind of attack you're worried about. Personally,
not being the paranoid type, I'd be inclined to use just OS security
if I could.
- Gordon
More information about the Python-list
mailing list