Most Pythonic way to store (small) configuration
invalid at invalid.invalid
Wed Aug 5 16:00:02 CEST 2015
On 2015-08-05, Michael Torrie <torriem at gmail.com> wrote:
> On 08/04/2015 01:59 PM, Ben Finney wrote:
>> marco.nawijn at colosso.nl writes:
>>> Why not use Python files itself as configuration files?
>> Because configuration data will be user-editable. (If it's not
>> user-editable, that is itself a poor design choice.)
>> If you allow executable code to be user-edited, that opens your program
>> to arbitrary injection of executable code. Your program becomes wide
>> open for security exploits, whether through malicious or accidental
>> bugs, and simple human error can lead to arbitrary-scope damage to the
>> user's system.
> We need to state the context here. The only context in which having a
> Python config file is dangerous is when the python program runs as a
> different user/privilege than the owner of the config file. If the user
> owns the python files as well as the config file then none of this matters.
Yes, it does.
We're not just talking about intentional, malicious damange, we're
also talking about _accidental_ damage caused by an incorrect edit of
a configuration files.
It's much harder to cause damage by mis-editing an "ini" format file
that's parsed with the config file library than it is by mis-editing a
Python file that's imported.
Grant Edwards grant.b.edwards Yow! Clear the laundromat!!
at This whirl-o-matic just had
gmail.com a nuclear meltdown!!
More information about the Python-list