[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

configparser v/s file variables

On 06/27/18 11:45, Abdur-Rahmaan Janhangeer wrote:
> and that closes it,
> thanks !!!
> Abdur-Rahmaan Janhangeer
> https://github.com/Abdur-rahmaanJ
> Importing variables from a file is dangerous because it can execute
>> arbitrary code.  It should never be done with files provided by the
>> user.
>> Using configparser is far, far safer.

 ? It seems a bit silly to me to worry about arbitrary code execution in 
an interpreted language like Python whose default runtime execution 
method is to parse the source code directly.? An attacker would be far 
more likely to simply modify the source to achieve his ends rather than 
try to inject a payload externally.

These days, "execute arbitrary code" implies a deliberate attack. Now, 
if you used input validation as an argument, I would agree that 
configparser is, if not safer, easier.