On 06/27/18 11:45, Abdur-Rahmaan Janhangeer wrote:
and that closes it,
thanks !!!
Abdur-Rahmaan Janhangeer
https://github.com/Abdur-rahmaanJ
Importing variables from a file is dangerous because it can execute
arbitrary code. It should never be done with files provided by the
user.
Using configparser is far, far safer.
It seems a bit silly to me to worry about arbitrary code execution in
an interpreted language like Python whose default runtime execution
method is to parse the source code directly. An attacker would be far
more likely to simply modify the source to achieve his ends rather than
try to inject a payload externally.
These days, "execute arbitrary code" implies a deliberate attack. Now,
if you used input validation as an argument, I would agree that
configparser is, if not safer, easier.
-Jim
--
https://mail.python.org/mailman/listinfo/python-list
