Accessing global namespace

Carl Banks imbosol at aerojockey.invalid
Mon Oct 6 17:33:25 EDT 2003 

John Roth wrote:
> 
> "Carl Banks" <imbosol at aerojockey.invalid> wrote in message
> news:r%jgb.30366$541.25640 at nwrdny02.gnilink.net...
>> John Roth wrote:
>> >
>> > "Tongu? Yumruk" <trooper at ttnet.net.tr> wrote in message
>> > news:mailman.1065436150.27416.python-list at python.org...
>> >> I'm trying to build a completely plug-in based system. One of my
>> >> problems is importing a package dynamically. I'm trying to emulate the
>> >> import command. The __import__() function or imp module doesn't help me
>> >> much because they only return the module. I want to register the module
>> >> with it's name in the current namespace. I can do it by:
>> >>
>> >> globals()[module_name] = __import__(module_name)
>> >>
>> >> But I don't think it's a good thing to access the global namespace
>> >> directly. I prefer using setattr() but I cannot access the current
>> >> namespace as an object I want something like
>> >>
>> >> setattr(__main__,__import__(module_name))
>> >>
>> >> Is that possible? I'm using Python 2.1 on Debian Woody
>> >
>> > The easiest way to do a dynamic import is to build an
>> > import statement and feed it into the exec statement.
>>
>>
>> Also, the best way to make your program vulnerable to abuse.
>>
>> Use exec only if you explicit intend to give the user the option to
>> input Python code, and only if the program is not running at a higher
>> privledge level than the user is.
> 
> Now, now. Did I say anything about accepting raw, unvalidated
> input from the user? I certainly don't see anything about it in what
> I said.
> 
> There are pleanty of things I say that you can validly assail me for.
> This doesn't happen to be one of them.

You said nothing about raw, invaludated input, and that's the problem.
Instead, you swept the potential little pitfall under the rug, and
freely gave your advice to use exec as if one could use it without any
care in the world.

That's not only validly assailable, my friend, but asinine.

I stand by what I said.  Using exec for anything other than explicitly
asking the user for Python code is wrong, incorrect, and evil, with
very few exceptions.  Even if it looks harmless.  Anyone who does
that, or advises that, should be fired.


-- 
CARL BANKS                   http://www.aerojockey.com/software

As the newest Lady Turnpot descended into the kitchen wrapped only in
her celery-green dressing gown, her creamy bosom rising and falling
like a temperamental souffle, her tart mouth pursed in distaste, the
sous-chef whispered to the scullery boy, "I don't know what to make of
her." 
          --Laurel Fortuner, Montendre, France 
            1992 Bulwer-Lytton Fiction Contest Winner

More information about the Python-list mailing list