Re: [jokosher-devel] Jokosher Security Vulnerability



John Green wrote:
On Wednesday 27 September 2006 11:52, Nick Murtagh wrote:
exec is yucky.


absolutely

Why not replace

    exec("target_object.%s"%func)

with

    getattr(target_object, func)()


There should probably be a try except around that in case target_object
is None or func isn't a method or target_object.

I like the sound of using getattr or possibly hasattr as a way of guaranteeing what's there is valid. I think we are also passing parameters through func which complicates things a bit but that's probably just a bit of parsing.

paramString = func[ func.find("(")+1 : func.rfind(")") ]
paramList = [eval(x) for x in paramString.split(",")]
getattr(target_object, func)(*paramList)

We still have to use eval(), but that's much safer right? Is there anyway to do malicious things with eval()?

Laszlo



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]