Re: [Configobj-develop] check function for list of list of integers

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Quoting Faheem Mitha (2012-03-31 20:42:06)
>I'm trying to convert the value to a list of integer lists, as it appears 
>to be in the config file. I don't think "eval" is a good way to go either, 
>but can you suggest an alternative?

>> Also note that using eval like this makes your app vulnerable to code 
>> injection because you don't sanitize the string you hand over.
>
>Yes, I see. Since 'eval' can execute arbitary code. I'm open to 
>alternative methods to convert this string into a list of lists. Also, how 
>could one sanitize the call to 'eval'?

Typically you'd grep for file removals and so on, or run it in a chroot or something
similar but I don't thing you should go that road and try to replace eval.

>> Quoting Faheem Mitha (2012-03-31 19:00:42)
>Yes, I would have expected it to just pass the value as a string, but it 
>seems to be altering it to a list first. Since I give it my check 
>function, I would expect it to use that instead of whatever default 
>internal conversion it does.

I would also expect this and hope configobj will be changed in that respect.
At least the current behaviour should either be documented better as the relevant part
of the doc is rather confusing:

  All parameters and keyword arguments are always passed as strings. (Parsed from the check string).

  The value might be a string (or list of strings) and need converting to the right type - alternatively it might
  already be a list of integers. Our function needs to be able to handle either.

You could try using a different separator, say a semicolon for inner lists and a dot for
outer lists. If you don't have a problem to compromise your syntax like this you can use:

  value = 1.2;3.4.5
  [inner.split('.') for inner in value.split(';')]

best,
/p