updating local()

Jp Calderone exarkun at divmod.com
Wed Oct 5 19:13:45 CEST 2005



On Wed, 5 Oct 2005 18:47:06 +0200, Sybren Stuvel <sybrenuse at yourthirdtower.com.imagination> wrote:
>Flavio enlightened us with:
>> Can anyone tell me why, if the following code works, I should not do
>> this?
>>
>> def fun(a=1,b=2,**args):
>>
>> 	print 'locals:',locals()
>> 	locals().update(args)
>> 	print locals()
>
>Because it's very, very, very insecure. What would happen if someone
>found a way to call that function? It could replace any name in the
>locals dictionary, including functions from __builtins__. In other
>words: probably the whole program could be taken over by other code by
>just one call to that function.
>

If I can call functions in your process space, I've already taken over your whole program.

Jp



More information about the Python-list mailing list