Menu
▾
▴
configobj-develop
|
From: Michael F. <fuz...@vo...> - 2009-05-16 13:00:08
|
Hello Ken, I'll look at this. A problem with eval is that it is unsafe (arbitrary code execution) - which is one reason to use a text based config system in the first place. Michael -- http://www.ironpythoninaction.com On 16 May 2009, at 03:55, Ken Kuhlman <ksk...@gm...> wrote: > As a first time poster, let me first thank you for configobj. It's > a nice piece of work, and the fact that I've never really had to > think about it is a real testament to your ability to put out stable > releases that 'just work'. > > Lately, though, I've been drawn to 'alternate' python > implementations: jython, fepy, appengine, pypy and such. Unlike > cpython, these don't provide a working compiler.parser, which means > that the unrepr mode of configobj doesn't work under them. > > I noticed Dag Brattli & Fuzzyman's tweets, which suggested eval as a > workable replacement, and came up with the attached patch against > the current rev (19). The core of the patch is very > straightforward, though I had to make some trivial changes to the > tests get them to pass under Jython. > > Since there's already some minor import trickery in configobj for > IronPython, I'm hoping that this patch is acceptable. Let me know > if need me to create a ticket. > > Thanks again, > -Ken > > PS: You won't want to commit the "configobj.compiler = None" line > in test_configobj.py. It's just there to demo unrepr in the absence > of a working compiler module. > > <nocompiler.diff> > --- > --- > --- > --------------------------------------------------------------------- > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensing option that enables > unlimited royalty-free distribution of the report engine > for externally facing server and web deployment. > http://p.sf.net/sfu/businessobjects > _______________________________________________ > Configobj-develop mailing list > Con...@li... > https://lists.sourceforge.net/lists/listinfo/configobj-develop |
|
From: Ken K. <ke...@re...> - 2009-05-20 18:33:47
|
On Sat, May 16, 2009 at 6:47 AM, Michael Foord <fuz...@vo...>wrote: > Hello Ken, > > I'll look at this. A problem with eval is that it is unsafe (arbitrary > code execution) - which is one reason to use a text based config > system in the first place. > > Michael > > -- > http://www.ironpythoninaction.com > > Thanks Michael. After doing some more digging around it looks like this is as much a Python 3 issue as anything, and that the ast module is the preferred long-term solution. I think I'll break jython support (ignoring unrepr) out into it's own ticket, and create another for using ast when compiler isn't available. The differences between the APIs is giving me fits, though, so I'm not going to make any promises that the latter will come with a working patch. Anyway, there's no huge hurry here. In the short term, I can follow Dag's lead & just monkey-patch unrepr with eval. The potential security concerns with eval aren't important for my use case. thanks, -Ken |
|
From: Ken K. <ksk...@gm...> - 2009-05-20 18:40:55
|
On Sat, May 16, 2009 at 6:47 AM, Michael Foord <fuz...@vo...>wrote: > Hello Ken, > > I'll look at this. A problem with eval is that it is unsafe (arbitrary > code execution) - which is one reason to use a text based config > system in the first place. > > Michael > > -- > http://www.ironpythoninaction.com > Thanks Michael. After doing some more digging around it looks like this is as much a Python 3 issue as anything, and that the ast module is the preferred long-term solution. I think I'll break jython support (ignoring unrepr) out into it's own ticket, and create another for using ast when compiler isn't available. The differences between the APIs is giving me fits, though, so I'm not going to make any promises that the latter will come with a working patch. Anyway, there's no huge hurry here. In the short term, I can follow Dag's lead & just monkey-patch unrepr with eval. The potential security concerns with eval aren't important for my use case. thanks, -Ken |
|
From: Ken K. <ksk...@gm...> - 2009-05-21 17:44:27
|
On Wed, May 20, 2009 at 1:40 PM, Ken Kuhlman <ksk...@gm...> wrote: > > On Sat, May 16, 2009 at 6:47 AM, Michael Foord <fuz...@vo...>wrote: > >> Hello Ken, >> >> I'll look at this. A problem with eval is that it is unsafe (arbitrary >> code execution) - which is one reason to use a text based config >> system in the first place. >> >> Michael >> >> -- >> http://www.ironpythoninaction.com >> > > Thanks Michael. After doing some more digging around it looks like this is > as much a Python 3 issue as anything, and that the ast module is the > preferred long-term solution. > > I think I'll break jython support (ignoring unrepr) out into it's own > ticket, and create another for using ast when compiler isn't available. The > differences between the APIs is giving me fits, though, so I'm not going to > make any promises that the latter will come with a working patch. > > I got the ast-based Builder fully working. I ended up combining the patches after all, though, since there was some overlap in the imports. Ticket #3 on google code. Thanks, -Ken |
|
From: Michael F. <fuz...@vo...> - 2009-05-21 21:51:27
|
Ken Kuhlman wrote: > > On Wed, May 20, 2009 at 1:40 PM, Ken Kuhlman <ksk...@gm... > <mailto:ksk...@gm...>> wrote: > > > On Sat, May 16, 2009 at 6:47 AM, Michael Foord > <fuz...@vo... <mailto:fuz...@vo...>> wrote: > > Hello Ken, > > I'll look at this. A problem with eval is that it is unsafe > (arbitrary > code execution) - which is one reason to use a text based config > system in the first place. > > Michael > > -- > http://www.ironpythoninaction.com > > > Thanks Michael. After doing some more digging around it looks > like this is as much a Python 3 issue as anything, and that the > ast module is the preferred long-term solution. > > I think I'll break jython support (ignoring unrepr) out into it's > own ticket, and create another for using ast when compiler isn't > available. The differences between the APIs is giving me fits, > though, so I'm not going to make any promises that the latter will > come with a working patch. > > > I got the ast-based Builder fully working. I ended up combining the > patches after all, though, since there was some overlap in the imports. > > Ticket #3 on google code. Cool - great. I'll look at the best way of integrating this. ConfigObj will need something of a rewrite for Python 3 anyway as the unicode handling will be different (although not massively different come to think of it). No-one has asked me for a Python 3 version yet anyway. :-) Many thanks, Michael > > Thanks, > -Ken > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT > is a gathering of tech-side developers & brand creativity professionals. Meet > the minds behind Google Creative Lab, Visual Complexity, Processing, & > iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian > Group, R/GA, & Big Spaceship. http://www.creativitycat.com > ------------------------------------------------------------------------ > > _______________________________________________ > Configobj-develop mailing list > Con...@li... > https://lists.sourceforge.net/lists/listinfo/configobj-develop > -- http://www.ironpythoninaction.com/ http://www.voidspace.org.uk/blog |
Thanks for helping keep SourceForge clean.
X