configparser v/s file variables
Jim Lee
jlee54 at gmail.com
Wed Jun 27 15:15:23 EDT 2018
On 06/27/18 11:45, Abdur-Rahmaan Janhangeer wrote:
> and that closes it,
>
> thanks !!!
>
> Abdur-Rahmaan Janhangeer
> https://github.com/Abdur-rahmaanJ
>
> Importing variables from a file is dangerous because it can execute
>> arbitrary code. It should never be done with files provided by the
>> user.
>>
>> Using configparser is far, far safer.
>>
It seems a bit silly to me to worry about arbitrary code execution in
an interpreted language like Python whose default runtime execution
method is to parse the source code directly. An attacker would be far
more likely to simply modify the source to achieve his ends rather than
try to inject a payload externally.
These days, "execute arbitrary code" implies a deliberate attack. Now,
if you used input validation as an argument, I would agree that
configparser is, if not safer, easier.
-Jim
More information about the Python-list
mailing list