configparser v/s file variables
On 06/28/18 07:30, Grant Edwards wrote:
> I still maintain it's a bad idea to run arbitrary code found in
> user-edited config files.
> There may be cases where somebody has figured out how to muck with a
> config file that's shared among multiple users, or has tricked
> somebody into including something from an untrusted source in an
> include file.
> Or there could be users who don't know what they're doing and
> unwittingly type something harmful into a config file:
> bad_command = os.system("rm -rf ~/*")
> Yes, I know, users would never be that dumb...
I agree with you that it's a bad idea.? I was pointing out that I look
at it from an input validation viewpoint rather than a security
viewpoint - that's all.
Absolute security isn't a solvable problem.? It isn't even a technical
problem.? But that's a discussion for another time...