[Zope-dev] use of exec in products considered harmful?
Jonothan Farr
jfarr@real.com
Fri, 10 Mar 2000 15:54:36 -0800
I'm considering doing something in the LocalFS product that seems like a
potentially huge security risk, which is calling exec on a string submitted
through a form. The reason is that I want to allow users to customize the object
class associated with different content-types when the product constructs a Zope
object from a local file. I need a way for them to specify the arguments to the
object constructor from the management interface. The solution I came up with is
rather awkward but I can't think of a better one.
Suppose 'c' is a string containing, for example,
"OFS.DTMLMethod.DTMLMethod(data, __name__=id)".
This is the code to construct the object:
try:
# this should hopefully avoid executing
# malicious python code
if ';' in c: raise ValueError
m = c[:string.rindex(c, '.')]
exec('import ' + m)
exec('ob = ' + c)
except: pass
I'm hoping that by disallowing ';' in the string I can avoid malicious code
like: OFS.DTMLMethod.DTMLMethod(data, __name__=id); print "Hi. I've got control
of your server now. Have a nice day."
Can anyone else think of how this code can still be exploited? Can anyone think
of a better, safer way to do this altogether? Is any of this making sense?
Thanks,
-jfarr