use strings to call functions

Diez B. Roggisch deets at nospam.web.de
Tue Feb 9 09:47:42 CET 2010


Am 09.02.10 07:00, schrieb OdarR:
> On 9 fév, 02:50, Jean-Michel Pichavant<jeanmic... at sequans.com>  wrote:
>> Aahz wrote:
>>> In article<0efe23a6-b16d-4f92-8bc0-12d056bf5... at z26g2000yqm.googlegroups.com>,
>>> OdarR<olivier.da... at gmail.com>  wrote:
>>
>>>> and with eval(), did you try ?
>>
>>> WARNING: eval() is almost always the wrong answer to any question
>>
>> Some say that eval is evil !
>>
>> JM
>
> go to hell ;-), it is part of the language, it seems to match the
> aforementioned question.

And if the extension happens to be valid python-code, you might inject 
code malus code through the filename. Great idea!

globals()["function_" + ext]()

is all you need, and doesn't suffer from that attack vector.

Diez



More information about the Python-list mailing list