[mod_python] python program versus handler

Graham Dumpleton graham.dumpleton at gmail.com
Tue May 22 19:48:42 EDT 2007


On 23/05/07, Greg Fawcett <greg at vig.co.nz> wrote:
>     try:
>         action=eval('module.'+actionName)
>     except:
>         apache.log_error('vfax.py could not find action "%s"'%(actionName))
>         return apache.HTTP_NOT_FOUND

For a start don't use eval(), it can be dangerous. Imagine someone
constructing a URL which contain a sequence of Python commands in it.

  >>> import sys
  >>> import os
  >>> eval('sys.version and os.system("echo hi")')

If calling functions use:

  if hasattr(module, actionName):
    object = getattr(modue, actionName)
    return object(req)
  else:
    return apache.HTTP_NOT_FOUND

I'd suggest there are perhaps better ways of doing what you are doing,
but don't have the time to go into it now and could also take a long
time to explain how to do it properly and securely. More often than
not, one is better off using a dispatcher written by someone else
which has been used a lot and which is known not to have issues. That
or at least look at others code and learn from it when making your
own. :-)

Graham


More information about the Mod_python mailing list