Menu
▾
▴
Re: [Pythoncard-users] evaluating compiled Python expressions makes my py2exe-compiled P ythonCard app crash
|
From: Steven D'A. <st...@cy...> - 2004-06-03 02:24:31
|
On Tue, Jun 01, 2004 at 01:05:31PM -0700, Tim Black wrote:
> But I wanted to be able to
> empower the user to dynamically update the constants used in their app
> without having to update the entire distribution folder. So I made the
> following change:
If this is aimed an end users, then this is an enormous security hole, and
if your application ever becomes popular, then you can guarantee that
somebody will find a way to take advantage of it.
What happens when users edit your Constants file and accidently trash the
file, or delete many of the constants that you rely on?
What happens if, instead of being careless, a malicious user gets access
to another person's PC and edits their Constants file to include Python
code which breaks your code? Or worse, manages to get a line like:
import shutil; shutil.rmtree("/")
into the Constants file? Python has total access to your user's machine.
It doesn't run in a sand-box like Java. If you and your users are
comfortable with giving your program the ability to reformat their disk,
delete files, launch applications, install software or similar, then using
exec and execfile is acceptable.
Otherwise, the safe way to implement user updated data will be something
like this:
- read your default constants from a Python file. Since you control the
file, it is as safe as any Python app can be.
- look for a configuration file from the user in the appropriate places,
eg $HOME/myconfig.ini under Linux, C:/My Documents And Settings/ under
Windows, etc.
- if the file exists, read updated constants only from it. Do not use
exec or execfile unless you can guarentee the file is safe. If the file is
trashed, your application can give a warning and then just ignore the
errors.
Python has a module for reading ini files. Use it, or write your own.
--
Steven D'Aprano
Operations Manager
Cybersource Pty Ltd, ABN 13 053 904 082
Level 4, 10-16 Queen St, Melbourne VIC 3000
Tel: +61 3 9621 2377 Fax: +61 3 9621 2477
Web: http://www.cybersource.com.au
|
