Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #33441
| From | Roy Smith <roy@panix.com> |
|---|---|
| Newsgroups | comp.lang.python |
| Subject | Re: editing conf file |
| Date | 2012-11-16 09:08 -0500 |
| Organization | PANIX Public Access Internet and UNIX, NYC |
| Message-ID | <roy-97D44D.09081116112012@news.panix.com> (permalink) |
| References | <k85a7i$sjn$1@poprovec.arnes.si> <54qhn9-u85.ln1@satorlaser.homedns.org> <k85f02$ihn$1@poprovec.arnes.si> |
Ulrich Eckhardt <ulrich.eckhardt@dominolaser.com> wrote: > in general importing configuration data by loading and > executing code is a questionable approach. The problem is in particular > that the code parser is always more strict with the syntax than a > configuration file should be. Also, it presents the danger of code > injection, especially when exec'ing or importing untrusted code. chip9munk <"chip9munk[SSSpAm"@gmail.com> wrote: > huh... ok, the thing is that there will actually be no code in the > config file, just some variables and values.. it will be more like a > "setting file"... so no execution of the config file is necessary, just > getting and setting variables... I've been using django for the past couple of years, and I have to say I'm really addicted to their style of executable config files. The ability to put conditional logic in your settings.py file is extremely powerful. Even simple stuff like: DEBUG = songza.config['build_type'] != 'production' adds value. But, yes, Ulrich is 100% correct that it can lead to code injection attacks if you allow reading configs from untrusted sources. Like all powerful tools, it needs to be used with care. These days, if I was writing something that needed a config file and I didn't want to do "import settings" for whatever reason, I would go with YAML. It seems to give an attractive mix of: * supporting complex data structures * easy to for humans to hand-edit * easy for humans to read * safe from code injection attacks
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
editing conf file chip9munk <"chip9munk[SSSpAm"@gmail.com> - 2012-11-16 13:06 +0100
Re: editing conf file chip9munk <"chip9munk[SSSpAm"@gmail.com> - 2012-11-16 13:15 +0100
Re: editing conf file rusi <rustompmody@gmail.com> - 2012-11-16 04:35 -0800
Re: editing conf file chip9munk <"chip9munk[SSSpAm"@gmail.com> - 2012-11-16 13:48 +0100
Re: editing conf file Thomas Bach <thbach@students.uni-mainz.de> - 2012-11-16 14:04 +0100
Re: editing conf file chip9munk <"chip9munk[SSSpAm"@gmail.com> - 2012-11-16 14:28 +0100
Re: editing conf file Tim Chase <python.list@tim.thechases.com> - 2012-11-16 07:43 -0600
Re: editing conf file Ulrich Eckhardt <ulrich.eckhardt@dominolaser.com> - 2012-11-16 14:02 +0100
Re: editing conf file chip9munk <"chip9munk[SSSpAm"@gmail.com> - 2012-11-16 14:27 +0100
Re: editing conf file Roy Smith <roy@panix.com> - 2012-11-16 09:08 -0500
Re: editing conf file rusi <rustompmody@gmail.com> - 2012-11-16 08:41 -0800
csiph-web