Andre wrote:
> Mark Rowe <[EMAIL PROTECTED]> wrote in message
news:<[EMAIL PROTECTED]>...
> > On Mar 3, 2005, at 9:33 PM, Simon Wittber wrote:
> >
> > >> You mean like 'import'? :)
> > >
> > > That's how I would do it. It's the simplest thing, that works.
> > >
> > > exec("import %s as plugin" % pluginName)
> > > plugin.someMethod()
> > >
> > > where pluginName is the name of the python file, minus the ".py"
> > > extension.
> >
> > A better method would be something along the lines of:
> >
> > plugin = __import__(pluginName)
> > plugin.someMethod()
> >
> > This avoids the potential security problem that `exec' poses as
well as
> > the need to parse + interpret the string.
> >
> What happens if you have:
> .def someMethod():
> . import os
> . rm * # or whatever other evil thing you might thing of
>
> Andre
Some time back I remember discussions on plugin risks in
Leo (leo.sf.net). The conclusion was someone can always harm
your system by writing a nasty plugin. Hence you should always
use plugins from sources you can trust. I don't know if there
is any alternative way in Python to have safe third party
plugins.
--
http://mail.python.org/mailman/listinfo/python-list
