use strings to call functions

[Steven D'Aprano]

Despite the fact that it's used in the standard library...

Wisely or not, the standard library implicitly trusts it's input.

That's one of the many reasons why it's so hard to have a restricted
subset of Python.

 

[Diez B. Roggisch]

Am 09.02.10 07:00, schrieb OdarR:

go to hell ;-), it is part of the language, it seems to match the
aforementioned question.

And if the extension happens to be valid python-code, you might inject
code malus code through the filename. Great idea!

globals()["function_" + ext]()

is all you need, and doesn't suffer from that attack vector.

Diez

 

[Klaus Neuner]

go to hell ;-), it is part of the language, it seems to match the

aforementioned question.

Thats right. In fact, your code is the precise analogy of my Prolog
example in Python. Obviously, eval() and call() are both inherently
dangerous. They should never be used in programs that are used in
programs that get input from people other than the author. Yet, my
program is supposed to parse files that I have created myself and that
are on my laptop. It is not supposed to interact with anybody else
than me.

On the other hand, I think, it is worthwhile getting acquainted with
the getattr-stuff, because this method can be useful in many contexts.

Anyway, thanks to all who participated in this thread. It taught me a
lot.

 

[Stefan Behnel]

Klaus Neuner, 09.02.2010 10:04:

my program is supposed to parse files that I have created myself and that
are on my laptop. It is not supposed to interact with anybody else
than me.

Famous last words.

Stefan

 

[OdarR]

Klaus Neuner, 09.02.2010 10:04:


Famous last words.

Stefan

I knew it.

Olivier

 

[Klaus Neuner]

KlausNeuner, 09.02.2010 10:04:


Famous last words.

Stefan

All right, I admit that eval() is evil and should never be used. Under
no circumstances. (Which is, of course, the reason, why Python has
eval().) The same applies to knives. You shouldn't use them. You
shouldn't even use them in your own kitchen. A man might enter your
kitchen, take your knife away and use it against you.

 

[Bruno Desthuilliers]

Klaus Neuner a écrit :

All right, I admit that eval() is evil and should never be used.

Can you tell the difference between your above statement and the following:

"""
eval() is potentially dangerous and can make code harder to debug. 99%
of the proposed use case for eval() are covered by simpler, less
dangerous and easier to understand solutions, so the GoodPractice(tm) is
to favor these solutions and only use eval() - with appropriate care -
for the remaining 1% _real_ use case.
"""

If you can't tell the difference, then you're about as (im)mature as my
13 year old son and it might eventually be time to grow up.

The same applies to knives. You shouldn't use them. You
shouldn't even use them in your own kitchen. A man might enter your
kitchen, take your knife away and use it against you.

Knives - specially the kind I use in my kitchen - are indeed potentially
dangerous, and I indeed had to educate my son so he wouldn't do anything
stupid with them - like pointing a knife at someone, running across the
house with a knife in his hand, or using them instead of a more
appropriate tool.

The probability that someone will enter your kitchen and use one of your
knives against you, while not null, are low enough to be ignored IMHO. I
whish I could say the same about script kiddies or more educated (and
dangerous) bad guys trying to attack our servers.

But you obviously never had to neither fix a compromised server nor
raise a kid - else you'd now better. Hopefully you didn't raise my kid -
now I just pray none of your code will ever run on our servers.

 

[Klaus Neuner]

KlausNeunera écrit :




Can you tell the difference between your above statement and the following:

As already pointed out in my second post (though perhaps not
explicitly enough), I like the getattr-stuff better than eval(). That
is why I will not use eval(). I don't have a reason to use eval(). All
I wanted to say is this: If there are no circumstances at all under
which eval() can reasonably be used, then it should not be part of
Python. As it is part of Python (and as Python is a carefully designed
language), there will most probably some situations in which one might
want to use it.

 

[Bruno Desthuilliers]

Klaus Neuner a écrit :

As already pointed out in my second post (though perhaps not
explicitly enough),

Or perhaps is it me that failed to re-read a bit more of the thread
before answering - I obviously missed the irony (and made an a... of
myself), sorry :-/

All
I wanted to say is this: If there are no circumstances at all under
which eval() can reasonably be used, then it should not be part of
Python. As it is part of Python (and as Python is a carefully designed
language), there will most probably some situations in which one might
want to use it.

Indeed.

 

[Klaus Neuner]

Or perhaps is it me that failed to re-read a bit more of the thread

before answering - I obviously missed the irony (and made an a... of
myself), sorry :-/

There is nothing to be sorry about. I am grateful to all participants
of this thread. I know a lot more about Python than before.

 

[Dennis Lee Bieber]

All right, I admit that eval() is evil and should never be used. Under
no circumstances. (Which is, of course, the reason, why Python has
eval().) The same applies to knives. You shouldn't use them. You
shouldn't even use them in your own kitchen. A man might enter your
kitchen, take your knife away and use it against you.

You've been listening to the UK medical industry, haven't you? <G>
http://news.bbc.co.uk/2/hi/4581871.stm