Why is exec() a nonproblem?
The previous section has a discussion on eval()
. The same considerations apply to exec()
.
Generally, the set of available globals()
is tightly controlled. Access to the os
module or the __import__()
function can be eliminated by removing them from the globals provided to exec()
.
If you have an evil programmer who will cleverly corrupt the configuration files, recall that they have complete access to all Python source. Why would they waste time cleverly tweaking configuration files when they can just change the application code itself?
One common question is this: "What if someone thinks they can monkey patch a broken application by forcing new code in via the configuration file?" This person is just as likely to break the application into a number of other equally clever/deranged ways. Avoiding Python configuration files won't stop the unscrupulous programmer from breaking things by doing something that's ill-advised. There are a myriad of potential weaknesses; needless...