Running external module and accessing the created objects

Dave Angel davea at davea.name
Tue Mar 12 12:20:07 CET 2013


On 03/12/2013 12:05 AM, Michael Torrie wrote:
> On 03/11/2013 06:48 PM, Dave Angel wrote:
>> I hope you're just kidding.  execfile() and exec() are two of the most
>> dangerous mechanisms around.  import or __import__() would be much
>> better, as long as your user hasn't already run myapp.py as his script.
>
> It's not possible to setuid a python script, so I don't see how execfile
> or exec is any more dangerous than the user creating a shell script that
> rm -rf * things, and then running it.
>
> Bash "exec's" scripts all the time that users create and provide.  How
> is this different and what issues did you have in mind, exactly?
>

Mainly that exec and execfile are a slippery slope for a new programmer. 
  Once as they get it in their minds that this is the way to do things, 
they'll soon fall into using one of them on raw_input() data, on network 
data, and on other untrusted sources.


-- 
DaveA



More information about the Python-list mailing list