from spam import eggs, spam at runtime, how?
Stuart Bishop
stuart.b at commonground.com.au
Tue Dec 9 20:26:45 EST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/12/2003, at 6:28 AM, Rene Pijlman wrote:
> from skin import template
>
> where skin is only known at runtime (it's passed as a parameter or
> hidden
> field to my mod_python application).
That is scary - you need to treat anything arriving from the client
as an attack. Consider what would happen if someone accessed the url:
http://whatever/myapp?skin=test.testall
Maintaining a blacklist is impossible, as new modules may be installed
in the future.
> The alternative would be:
>
> if skin == 'basic':
> from basic import homepage
> elif skin == 'modern':
> from modern import homepage
>
> ... but this is unmaintainable and unpythonic.
It is also correct IMHO, although you would be better off
using a dictionary mapping string -> module, so you could just do:
try:
homepage = skinmod[skin]
except KeyError:
raise ValueError, 'No such skin: %r' % (skin,)
You may want to use the import tricks elsewhere in this thread to
build this dictionary though, for instance by doing an os.listdir() on
your 'skins' directory.
- --
Stuart Bishop <stuart at stuartbishop.net>
http://www.stuartbishop.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/1nZaAfqZj7rGN0oRAlxqAJ4kf+Dm2BBkEhKJpIpokWAxhDPSLACePJlJ
PKgunqahsWAYzuCHmcvXoxo=
=bKfh
-----END PGP SIGNATURE-----
More information about the Python-list
mailing list