Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #87137
| Return-Path | <rosuav@gmail.com> |
|---|---|
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.029 |
| X-Spam-Evidence | '*H*': 0.94; '*S*': 0.00; 'else:': 0.03; 'subject:Question': 0.07; 'caller': 0.09; 'whichever': 0.09; 'cc:addr:python-list': 0.11; '6:30': 0.16; 'before.': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'modules,': 0.16; 'pulling': 0.16; 'wrote:': 0.18; 'module': 0.19; 'cc:addr:python.org': 0.22; '(or': 0.24; 'question': 0.24; 'cc:2**0': 0.24; 'header:In-Reply-To:1': 0.27; 'message- id:@mail.gmail.com': 0.30; 'could': 0.34; "can't": 0.35; 'problem.': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'acceptable': 0.36; 'list': 0.37; 'performance': 0.37; 'pm,': 0.38; 'either': 0.39; 'called': 0.40; 'easy': 0.60; 'guarantee': 0.63; 'more': 0.64; 'within': 0.65; 'mar': 0.68; 'frank': 0.68; 'invalid': 0.68; '2015': 0.84; 'actually,': 0.84; 'to:none': 0.92 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=zJcOI0kgDzPBulbBHV67AeCeG7Yjfc+JxmkE1jaMuMY=; b=hhI7bPmqblnhUY7FaTdWGidW3gVEgYYGQLf2OQ0MXcQtrOuuljGyhwPpwd8tDy5wh6 ytzOiwR+vz+L1jEZe2wjDibW3Eh5yL5z+f8RwNmiEc829l1N3RmFNthGF89UAY/G9ztV AfoZ5hv+IQ48uDKrpFXIISJaoNEIk2vVN2TjjrmIcXY7jFtcX1JF8+NildS42I3yDQJr S52OsiwEFacsbsbph0R0oe4m+0M/YV2/PfBLm5+P7tBVeD2hAi3aeWA36TlyEt3lZcav gpePmZy1s5fA9ufzZANZwBCRtq1DmDJi6enb71Z6rm1kI/FIfQxRBH9HTa6cHg/+h3Aw Pztw== |
| MIME-Version | 1.0 |
| X-Received | by 10.107.160.212 with SMTP id j203mr39565212ioe.43.1425800526597; Sat, 07 Mar 2015 23:42:06 -0800 (PST) |
| In-Reply-To | <mdgttm$pm0$1@ger.gmane.org> |
| References | <mdgttm$pm0$1@ger.gmane.org> |
| Date | Sun, 8 Mar 2015 18:42:06 +1100 |
| Subject | Re: Question about importlib |
| From | Chris Angelico <rosuav@gmail.com> |
| Cc | "python-list@python.org" <python-list@python.org> |
| Content-Type | text/plain; charset=UTF-8 |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.19 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.164.1425800529.21433.python-list@python.org> (permalink) |
| Lines | 28 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1425800529 news.xs4all.nl 2870 [2001:888:2000:d::a6]:55867 |
| X-Complaints-To | abuse@xs4all.nl |
| Path | csiph.com!usenet.pasdenom.info!bete-des-vosges.org!feed.ac-versailles.fr!nerim.net!novso.com!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail |
| Xref | csiph.com comp.lang.python:87137 |
Show key headers only | View raw
On Sun, Mar 8, 2015 at 6:30 PM, Frank Millman <frank@chagford.com> wrote:
> Actually, as I write this, I realise that there is a more important question
> that had not occurred to me before. Is this a potential security risk? My
> intention is that the caller would only call functions within my own
> modules, but this could be used to call any arbitrary function.
Here's an easy solution to both halves of your problem. It guarantees
that arbitrary functions can't be called (or at least, that functions
from arbitrary modules can't be called), and guarantees predictable
performance:
modules = {
"some_module": some_module,
"another_module": another_module,
}
module_name, func_name = func_name.rsplit('.', 1)
module = modules.get(module_name)
if module: getattr(module, func_name)(caller, xml_elem)
else: cope with invalid choice of module
You could programmatically populate the dictionary (eg from a list of
acceptable module names) either with importlib or by pulling them from
sys.modules. But whichever way you do it, you have an easy guarantee
that arbitrary modules won't be imported, guaranteeing both security
and performance in one stroke.
ChrisA
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: Question about importlib Chris Angelico <rosuav@gmail.com> - 2015-03-08 18:42 +1100
csiph-web