editing conf file
roy at panix.com
Fri Nov 16 15:08:11 CET 2012
Ulrich Eckhardt <ulrich.eckhardt at dominolaser.com> wrote:
> in general importing configuration data by loading and
> executing code is a questionable approach. The problem is in particular
> that the code parser is always more strict with the syntax than a
> configuration file should be. Also, it presents the danger of code
> injection, especially when exec'ing or importing untrusted code.
chip9munk <"chip9munk[SSSpAm"@gmail.com> wrote:
> huh... ok, the thing is that there will actually be no code in the
> config file, just some variables and values.. it will be more like a
> "setting file"... so no execution of the config file is necessary, just
> getting and setting variables...
I've been using django for the past couple of years, and I have to say
I'm really addicted to their style of executable config files. The
ability to put conditional logic in your settings.py file is extremely
powerful. Even simple stuff like:
DEBUG = songza.config['build_type'] != 'production'
But, yes, Ulrich is 100% correct that it can lead to code injection
attacks if you allow reading configs from untrusted sources. Like all
powerful tools, it needs to be used with care.
These days, if I was writing something that needed a config file and I
didn't want to do "import settings" for whatever reason, I would go with
YAML. It seems to give an attractive mix of:
* supporting complex data structures
* easy to for humans to hand-edit
* easy for humans to read
* safe from code injection attacks
More information about the Python-list