editing conf file

Roy Smith roy at panix.com
Fri Nov 16 15:08:11 CET 2012


 Ulrich Eckhardt <ulrich.eckhardt at dominolaser.com> wrote:
> in general importing configuration data by loading and 
> executing code is a questionable approach. The problem is in particular 
> that the code parser is always more strict with the syntax than a 
> configuration file should be. Also, it presents the danger of code 
> injection, especially when exec'ing or importing untrusted code.

chip9munk <"chip9munk[SSSpAm"@gmail.com> wrote:
> huh... ok, the thing is that there will actually be no code in the 
> config file, just some variables and values.. it will be more like a 
> "setting file"... so no execution of the config file is necessary, just 
> getting and setting variables...

I've been using django for the past couple of years, and I have to say 
I'm really addicted to their style of executable config files.  The 
ability to put conditional logic in your settings.py file is extremely 
powerful.  Even simple stuff like:

DEBUG = songza.config['build_type'] != 'production'

adds value.

But, yes, Ulrich is 100% correct that it can lead to code injection 
attacks if you allow reading configs from untrusted sources.  Like all 
powerful tools, it needs to be used with care.

These days, if I was writing something that needed a config file and I 
didn't want to do "import settings" for whatever reason, I would go with 
YAML.  It seems to give an attractive mix of:

* supporting complex data structures
* easy to for humans to hand-edit
* easy for humans to read
* safe from code injection attacks


More information about the Python-list mailing list