use strings to call functions

Diez B. Roggisch deets at
Tue Feb 9 09:47:42 CET 2010

Am 09.02.10 07:00, schrieb OdarR:
> On 9 fév, 02:50, Jean-Michel Pichavant<jeanmic... at>  wrote:
>> Aahz wrote:
>>> In article<0efe23a6-b16d-4f92-8bc0-12d056bf5... at>,
>>> OdarR<olivier.da... at>  wrote:
>>>> and with eval(), did you try ?
>>> WARNING: eval() is almost always the wrong answer to any question
>> Some say that eval is evil !
>> JM
> go to hell ;-), it is part of the language, it seems to match the
> aforementioned question.

And if the extension happens to be valid python-code, you might inject 
code malus code through the filename. Great idea!

globals()["function_" + ext]()

is all you need, and doesn't suffer from that attack vector.


More information about the Python-list mailing list