[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

configparser v/s file variables

On 06/28/18 07:30, Grant Edwards wrote:
> I still maintain it's a bad idea to run arbitrary code found in
> user-edited config files.
> There may be cases where somebody has figured out how to muck with a
> config file that's shared among multiple users, or has tricked
> somebody into including something from an untrusted source in an
> include file.
> Or there could be users who don't know what they're doing and
> unwittingly type something harmful into a config file:
>    bad_command = os.system("rm -rf ~/*")
> Yes, I know, users would never be that dumb...
I agree with you that it's a bad idea.? I was pointing out that I look 
at it from an input validation viewpoint rather than a security 
viewpoint - that's all.

Absolute security isn't a solvable problem.? It isn't even a technical 
problem.? But that's a discussion for another time...