[issue37418] Code execution without calling it

Paul Ganssle Wed, 26 Jun 2019 12:11:39 -0700


Paul Ganssle <[email protected]> added the comment:


> why the code is executed?
> I could do a library or a package and include evil code instead of a
> print...

The code is executed because the decorator syntax

    @decorator
    def f():
       ...

Is equivalent to

    def f():
       ...

    f = decorator(f)

So you are indeed calling the `decorator` function.

It is true that you could put evil code in the decorator function, but it's 
also true that you can execute evil code directly in the Python function as 
well, e.g.:

    execute_evil_code()

    def f():
        ...

Importing such a package would call `execute_evil_code()`.

----------
nosy: +p-ganssle

_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue37418>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37418] Code execution without calling it

Reply via email to