Path: csiph.com!optima2.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!us.feeder.erje.net!news.linkpendium.com!news.linkpendium.com!panix!not-for-mail From: Grant Edwards Newsgroups: comp.lang.python Subject: Re: Most Pythonic way to store (small) configuration Date: Wed, 5 Aug 2015 14:00:02 +0000 (UTC) Organization: PANIX Public Access Internet and UNIX, NYC Lines: 34 Message-ID: References: <87k2teq9tb.fsf@Equus.decebal.nl> <663ad259-48e0-4eec-a946-7cd03805ddb1@googlegroups.com> <85y4hqkepb.fsf@benfinney.id.au> NNTP-Posting-Host: 67-130-15-94.dia.static.qwest.net X-Trace: reader1.panix.com 1438783202 28512 67.130.15.94 (5 Aug 2015 14:00:02 GMT) X-Complaints-To: abuse@panix.com NNTP-Posting-Date: Wed, 5 Aug 2015 14:00:02 +0000 (UTC) User-Agent: slrn/1.0.2 (Linux) Xref: csiph.com comp.lang.python:95018 On 2015-08-05, Michael Torrie wrote: > On 08/04/2015 01:59 PM, Ben Finney wrote: >> marco.nawijn@colosso.nl writes: >> >>> Why not use Python files itself as configuration files? >> >> Because configuration data will be user-editable. (If it's not >> user-editable, that is itself a poor design choice.) >> >> If you allow executable code to be user-edited, that opens your program >> to arbitrary injection of executable code. Your program becomes wide >> open for security exploits, whether through malicious or accidental >> bugs, and simple human error can lead to arbitrary-scope damage to the >> user's system. > > We need to state the context here. The only context in which having a > Python config file is dangerous is when the python program runs as a > different user/privilege than the owner of the config file. If the user > owns the python files as well as the config file then none of this matters. Yes, it does. We're not just talking about intentional, malicious damange, we're also talking about _accidental_ damage caused by an incorrect edit of a configuration files. It's much harder to cause damage by mis-editing an "ini" format file that's parsed with the config file library than it is by mis-editing a Python file that's imported. -- Grant Edwards grant.b.edwards Yow! Clear the laundromat!! at This whirl-o-matic just had gmail.com a nuclear meltdown!!