Customizing CGI script via execfile

Wed Jan 24 07:18:22 EST 2001

Short version:  I had a program that was to be run from 
the command line to output HTML.  End user customizations 
were permitted via a configuration file in each user's 
home directory and Python's execfile.  I have made 
modifications so that the script can be called via CGI, 
but the execfile no longer seems safe in this context.  

Long version:
I have a program that generates HTML.  It was intended that 
the program would be installed centrally and that each user 
could customize the output easily.  To accomplish this quickly, 
I simply had the program call execfile on an .rc file in each 
user's home directory.

The script has a configuration dictionary and some of the 
functionality encapsulated in functions.  Something like 
this:

configuration = {'fullname':   "Your Name",
                 'mailaddr':   "id at some.host",
                 'body': '<BODY>'}

def generate_footer(configuration, message):
    fullname = configuration['fullname']
    mailaddr = configuration['mailaddr']
    # get a dictionary: localvar -> value
    local_strings = vars()
    return """    
      <ADDRESS>
        <A HREF="mailto:%(mailaddr)s">
        %(fullname)s</A>
      </ADDRESS>
    </BODY>
    </HTML>""" % local_strings

Thus, in the user's .rc file, he can perform simple customization 
of the output by writing

configuration['fullname'] = 'Tom Bryan'
configuration['mailaddr'] = 'tbryan at python.net'
configuration['BODY'] = '<BODY BGCOLOR="#FFFFFF">'

Since I call execfile, Python programmers can redefine entire functions, 
such as generate_footer, if he'd like completely different behavior from 
portions of the program.

Now that I'd like the program to be called as a CGI script, I'd like 
to remove the execfile call, but I'd love to continue to permit 
extensive customization.  For example, the ConfigParser module would 
permit customization like I show above with strings in the configuration 
dictionary, but it wouldn't permit redefinition of entire functions. 
Ideally, I'd only permit customization of the functions and variables 
defined in the Python program, without permitting access to most modules 
(such as os and system).  Otherwise, the script would be much easier to 
use as an attack to the system (for example, by pushing a file onto the 
system somewhere and calling the CGI script with an overridden 
configuration file location).  Most of the function redefinition is simply 
so that the user can modify what text is output (for example, if his 
page uses CSS, he may want to modify the header).   It is okay to 
deny him access to most Python modules.  Is the rexec module what I should 
be using?  I played with it for a little while, but I wasn't sure whether 
rexec could do what I want.  I thought about doing something import, but 
I'm not sure wether that's sane either.  Any suggestions?

---Tom