Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #87138
| Path | csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!eu.feeder.erje.net!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <python-python-list@m.gmane.org> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.004 |
| X-Spam-Evidence | '*H*': 0.99; '*S*': 0.00; 'else:': 0.03; 'subject:Question': 0.07; 'caller': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'whichever': 0.09; 'wrote': 0.14; '6:30': 0.16; 'before.': 0.16; 'modules,': 0.16; 'pulling': 0.16; 'received:80.91.229.3': 0.16; 'received:plane.gmane.org': 0.16; 'skip:n 70': 0.16; 'thanks,': 0.17; 'wrote:': 0.18; 'module': 0.19; 'solution.': 0.20; '(or': 0.24; 'question': 0.24; 'header:X -Complaints-To:1': 0.27; 'chris': 0.29; 'could': 0.34; "can't": 0.35; 'problem.': 0.35; 'but': 0.35; 'there': 0.35; 'acceptable': 0.36; 'list': 0.37; 'performance': 0.37; 'to:addr:python-list': 0.38; 'pm,': 0.38; 'to:addr:python.org': 0.39; 'either': 0.39; 'received:org': 0.40; 'called': 0.40; 'easy': 0.60; 'guarantee': 0.63; 'more': 0.64; 'within': 0.65; 'mar': 0.68; 'frank': 0.68; 'invalid': 0.68; '2015': 0.84; 'actually,': 0.84 |
| X-Injected-Via-Gmane | http://gmane.org/ |
| To | python-list@python.org |
| From | "Frank Millman" <frank@chagford.com> |
| Subject | Re: Question about importlib |
| Date | Sun, 8 Mar 2015 09:53:07 +0200 |
| References | <mdgttm$pm0$1@ger.gmane.org> <CAPTjJmrXp4MSO9f=xb_BRuPnRZ7XRKsKTkbFvo-e5N7Lr_MVVg@mail.gmail.com> |
| X-Gmane-NNTP-Posting-Host | 197.86.205.221 |
| X-MSMail-Priority | Normal |
| X-Newsreader | Microsoft Outlook Express 6.00.3790.4657 |
| X-RFC2646 | Format=Flowed; Original |
| X-MimeOLE | Produced By Microsoft MimeOLE V6.00.3790.4913 |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.19 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.165.1425801224.21433.python-list@python.org> (permalink) |
| Lines | 37 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1425801224 news.xs4all.nl 2888 [2001:888:2000:d::a6]:59346 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:87138 |
Show key headers only | View raw
"Chris Angelico" <rosuav@gmail.com> wrote in message
news:CAPTjJmrXp4MSO9f=xb_BRuPnRZ7XRKsKTkbFvo-e5N7Lr_MVVg@mail.gmail.com...
> On Sun, Mar 8, 2015 at 6:30 PM, Frank Millman <frank@chagford.com> wrote:
>> Actually, as I write this, I realise that there is a more important
>> question
>> that had not occurred to me before. Is this a potential security risk? My
>> intention is that the caller would only call functions within my own
>> modules, but this could be used to call any arbitrary function.
>
> Here's an easy solution to both halves of your problem. It guarantees
> that arbitrary functions can't be called (or at least, that functions
> from arbitrary modules can't be called), and guarantees predictable
> performance:
>
> modules = {
> "some_module": some_module,
> "another_module": another_module,
> }
>
> module_name, func_name = func_name.rsplit('.', 1)
> module = modules.get(module_name)
> if module: getattr(module, func_name)(caller, xml_elem)
> else: cope with invalid choice of module
>
> You could programmatically populate the dictionary (eg from a list of
> acceptable module names) either with importlib or by pulling them from
> sys.modules. But whichever way you do it, you have an easy guarantee
> that arbitrary modules won't be imported, guaranteeing both security
> and performance in one stroke.
That is a neat solution. Thanks, Chris
Frank
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: Question about importlib "Frank Millman" <frank@chagford.com> - 2015-03-08 09:53 +0200
csiph-web