use strings to call functions
Diez B. Roggisch
deets at nospam.web.de
Tue Feb 9 03:47:42 EST 2010
Am 09.02.10 07:00, schrieb OdarR:
> On 9 fév, 02:50, Jean-Michel Pichavant<jeanmic... at sequans.com> wrote:
>> Aahz wrote:
>>> In article<0efe23a6-b16d-4f92-8bc0-12d056bf5... at z26g2000yqm.googlegroups.com>,
>>> OdarR<olivier.da... at gmail.com> wrote:
>>
>>>> and with eval(), did you try ?
>>
>>> WARNING: eval() is almost always the wrong answer to any question
>>
>> Some say that eval is evil !
>>
>> JM
>
> go to hell ;-), it is part of the language, it seems to match the
> aforementioned question.
And if the extension happens to be valid python-code, you might inject
code malus code through the filename. Great idea!
globals()["function_" + ext]()
is all you need, and doesn't suffer from that attack vector.
Diez
More information about the Python-list
mailing list