What's so wrong about execfile?

Carl Banks pavlovevidence at gmail.com
Mon Mar 2 17:20:40 CET 2009


On Mar 2, 8:43 am, John Nagle <na... at animats.com> wrote:
> Carl Banks wrote:
> > On Feb 27, 7:21 pm, Sammo <sammo2... at gmail.com> wrote:
> >> Given that execfile has been removed in py3k, I want to understand
> >> exactly why.
>
> >> Okay, I get that execfile is bad from the following thread:
>
> >> On Jul 29 2007, 2:39 pm, Steven D'Aprano
>
> >> <st... at REMOVE.THIS.cybersource.com.au> wrote:
> >>> (1) Don't use eval, exec or execfile.
> >>> (2) If you're an expert, don't use eval, exec or execfile.
> >>> (3) If you're an expert, and are fully aware of the security risks, don't
> >>> use eval, exec or execfile.
> >>> (4) If you're an expert, and are fully aware of the security risks, and
> >>> have a task that can only be solved by using eval, exec or execfile, find
> >>> another solution.
> >>> (5) If there really is no other solution, you haven't looked hard enough.
> >>> (6) If you've looked REALLY hard, and can't find another solution, AND
> >>> you're an expert and are fully aware of the security risks, THEN you can
> >>> think about using eval, exec or execfile.
> >> What are some of the reasons why execfile should not be used?
>
> >> What are some examples of cases where execfile is the correct way of
> >> doing something?
>
> > [For instance, the package I use to generate my web site uses exec and
> > eval, because it processes templates with embedded Python code.  
>
>     Now there's an example of exactly what exec and eval shouldn't be used for.
>
>     You don't put general-purpose execution mechanisms into your web site
> template system.  That's just asking for trouble.

It really isn't for a static web site generator with a single author,
which is what my package is for.


Carl Banks



More information about the Python-list mailing list