[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Python 3.6: How to expand f-string literals read from a file vs inline statement

On Fri, 23 Mar 2018 10:39:05 -0600, Malcolm Greene wrote:

>> Perhaps it doesn't need to be said, but just to be sure: don't use eval
>>  if you don't trust the people writing the configuration file. They can
>> do nearly unlimited damage to your environment.? They are writing code
>> that you are running.
> Of course! Script and config file are running in a private subnet 

Okay. So only users who have access to the private subnet can inject code 
into your application. That covers a *lot* of ground:

"The private subnet is used by me and my wife, and we both have root on 
the system and trust each other implicitly."

"The private subnet is used by five thousand really smart and technically 
savvy but emotionally immature teens who are constantly trying to 
escalate privileges and take over the system."

I always find it amusing when techies imagine that hackers on the 
internet are the only security threat.



> and both are maintained by a single developer.

And this is relevant to the security risk in what way?