[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

configparser v/s file variables

On 2018-06-27, Jim Lee <jlee54 at gmail.com> wrote:

> ?It seems a bit silly to me to worry about arbitrary code
> execution in an interpreted language like Python whose default
> runtime execution method is to parse the source code directly.?

Maybe it's not a deliberate attack.  Good application design is also
about preventing accidents.

> An attacker would be far more likely to simply modify the source to
> achieve his ends rather than try to inject a payload externally.

That's true if the user has write permission for the program itself.
That's not how applications are usually installed (at least not on the
OSes I use).

> These days, "execute arbitrary code" implies a deliberate attack.

Perhaps I should have phrased it differently: I didn't mean to
restrict my comments to a deliberate attack.

> Now, if you used input validation as an argument, I would agree that
> configparser is, if not safer, easier.

And it doesn't require that the end user have any knowlege of Python
syntax or sematics.

Grant Edwards               grant.b.edwards        Yow! ... I want FORTY-TWO
                                  at               TRYNEL FLOATATION SYSTEMS
                              gmail.com            installed within SIX AND A
                                                   HALF HOURS!!!