An interesting discussion that is outside the scope of a group like this is HOW malicious things can be done and perhaps how to avoid them.
Obviously some contexts are totally uncontrolled. If you write a "calculator" that asks the user to type in an arbitrary string like "2*(3+5)" or "sin(30)" and execute that string and show the result, then they can slip in anything like a shell command to reformat the hard disk. What can you do to minimize risks in such situations? Obviously you might want to scan the string before executing and look for things like carriage returns and semi-colons that might be used to add continuation commands beyond what is asked for. You might limit the length of the string. You might scan for keywords like def and lambda. But note that a cursory scan like that has false positives as well as false negatives. You might recognize something within a character string context that is harmless or you might reject a valid SQL query because it used a word you disallow that is actually a harmless name of a data column. And, realistically, Python has so many ways to get around things that it gets silly. Given some room and ingenuity, you can create code that assembles individual characters and then executes them into a program so a scan may not reveal anything. Heck, if you can simply create a module on the disk somewhere, all you need to do is insert enough code to IMPORT the file and you can do pretty much anything. If asked to enter a calculator entry, for example, and you simply say: 5+3;import mymodule You then have an exec("5+3;import mymodule") Some such things may generate an error but only after the side effect is done. Python code is often wide open, by design, so subtle messing with internals is easy. As an example, you can change the search path for modules with an assignment statement and then any subsequent call for importing a named module gets the one you substituted. So, yes, executing random code can be dangerous. But life is dangerous -----Original Message----- From: Tutor <tutor-bounces+avigross=verizon....@python.org> On Behalf Of Alan Gauld via Tutor Sent: Thursday, November 8, 2018 5:52 AM To: tutor@python.org Subject: Re: [Tutor] best way to dynamically set class variables? On 08/11/2018 07:46, Peter Otten wrote: > By the way I don't think exec() is bad as long as you control its > input and as long as this input is fairly simple. Yes, but reading arbitrary column names from a database is not exactly controlled input... -- Alan G Author of the Learn to Program web site http://www.alan-g.me.uk/ http://www.amazon.com/author/alan_gauld Follow my photo-blog on Flickr at: http://www.flickr.com/photos/alangauldphotos _______________________________________________ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor _______________________________________________ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor