Re: [jokosher-devel] Jokosher Security Vulnerability
- From: Laszlo Pandy <laszlok2 gmail com>
- To: John Green <john thegreens co uk>
- Cc: jokosher-devel-list gnome org
- Subject: Re: [jokosher-devel] Jokosher Security Vulnerability
- Date: Wed, 27 Sep 2006 07:49:11 -0400
John Green wrote:
On Wednesday 27 September 2006 11:52, Nick Murtagh wrote:
exec is yucky.
absolutely
Why not replace
exec("target_object.%s"%func)
with
getattr(target_object, func)()
There should probably be a try except around that in case target_object
is None or func isn't a method or target_object.
I like the sound of using getattr or possibly hasattr as a way of guaranteeing
what's there is valid. I think we are also passing parameters through func
which complicates things a bit but that's probably just a bit of parsing.
paramString = func[ func.find("(")+1 : func.rfind(")") ]
paramList = [eval(x) for x in paramString.split(",")]
getattr(target_object, func)(*paramList)
We still have to use eval(), but that's much safer right? Is there
anyway to do malicious things with eval()?
Laszlo
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]