Re: [jokosher-devel] Jokosher Security Vulnerability

From: Laszlo Pandy <laszlok2 gmail com>
To: John Green <john thegreens co uk>
Cc: jokosher-devel-list gnome org
Subject: Re: [jokosher-devel] Jokosher Security Vulnerability
Date: Wed, 27 Sep 2006 07:49:11 -0400

John Green wrote:

On Wednesday 27 September 2006 11:52, Nick Murtagh wrote:
exec is yucky.
absolutely
Why not replace

    exec("target_object.%s"%func)

with

    getattr(target_object, func)()


There should probably be a try except around that in case target_object
is None or func isn't a method or target_object.
I like the sound of using getattr or possibly hasattr as a way of guaranteeingwhat's there is valid. I think we are also passing parameters through funcwhich complicates things a bit but that's probably just a bit of parsing.


paramString = func[ func.find("(")+1 : func.rfind(")") ]
paramList = [eval(x) for x in paramString.split(",")]
getattr(target_object, func)(*paramList)

We still have to use eval(), but that's much safer right? Is thereanyway to do malicious things with eval()?


Laszlo

References:
- [jokosher-devel] Jokosher Security Vulnerability
  - From: Laszlo Pandy
- Re: [jokosher-devel] Jokosher Security Vulnerability
  - From: John Green
- Re: [jokosher-devel] Jokosher Security Vulnerability
  - From: Nick Murtagh
- Re: [jokosher-devel] Jokosher Security Vulnerability
  - From: John Green

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]