Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!news.chainon-marquant.org!nntpfeed.proxad.net!proxad.net!feeder1-2.proxad.net!usenet-fr.net!de-l.enfer-du-nord.net!feeder1.enfer-du-nord.net!tudelft.nl!txtfeed1.tudelft.nl!multikabel.net!newsfeed20.multikabel.net!news2.euro.net!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.003 X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'exec': 0.07; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:80.91.229.12': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'received:lo.gmane.org': 0.09; 'subject:string': 0.09; '"%s': 0.16; '"dirty': 0.16; "'w')": 0.16; 'f:\\n': 0.16; 'keys.': 0.16; 'received:dip.t-dialin.net': 0.16; 'received:t-dialin.net': 0.16; 'subject:creation': 0.16; 'subject:variable': 0.16; 'wrote:': 0.18; '>>>': 0.18; 'seems': 0.20; 'from:addr:web.de': 0.23; 'code,': 0.27; 'definition': 0.30; 'anyone': 0.31; 'header:X-Complaints-To:1': 0.33; 'to:addr:python- list': 0.34; 'someone': 0.34; 'creates': 0.34; 'anything': 0.34; 'but': 0.37; 'run': 0.37; 'problems': 0.37; 'could': 0.37; 'received:org': 0.38; 'subject:from': 0.38; 'skip:o 20': 0.38; 'to:addr:python.org': 0.40; 'back': 0.62; 'everybody': 0.63; 'demo': 0.80; 'malicious': 0.84; 'trick,': 0.84; 'speaks': 0.91 X-Injected-Via-Gmane: http://gmane.org/ To: python-list@python.org From: Peter Otten <__peter__@web.de> Subject: Re: Dynamic variable creation from string Date: Fri, 09 Dec 2011 12:27:47 +0100 Organization: None References: <4edffed8$0$29988$c3e8da3$5496439d@news.astraweb.com> <8ebfe32c-46a5-4bdc-a853-018d7f72d3d3@y18g2000yqy.googlegroups.com> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7Bit X-Gmane-NNTP-Posting-Host: p5084a8ea.dip.t-dialin.net X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 22 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1323430072 news.xs4all.nl 6916 [2001:888:2000:d::a6]:43731 X-Complaints-To: abuse@xs4all.nl Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:16908 Massi wrote: > for k in D : exec "%s = D[k]" %k > > That seems to do the trick, but someone speaks about "dirty code", can > anyone point me out which problems this can generate? exec can run arbitrary code, so everybody reading the above has to go back to the definition of D to verify that it can only contain "safe" keys. Filling D with user-input is right out because a malicious user could do anything he likes. Here's a harmless demo that creates a file: >>> d = {"x = 42\nwith open('tmp.txt', 'w') as f:\n f.write('whatever')\nx": 123} >>> for k in d: exec "%s = d[k]" % k ... >>> x 123 >>> open("tmp.txt").read() 'whatever'