[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] mail address handling in mailer.py

From: Mathias Weinert <mathias.weinert_at_gfa-net.de>
Date: 2006-06-08 17:19:35 CEST

Branko Cibej wrote:
> Mathias Weinert wrote:
> > Branko Cibej wrote:
> >
> >> Mathias Weinert wrote:
> >>
> >>> Adding a new option 'to_addrs' is okay for me. So the following questions
> >>> have to be answered:
> >>>
> >>> o Do we use to_addr only if to_addrs isn't set or do we combine them?
> >>> -> I would say use only one of them.
> >>>
> >>> o Which character will be used for splitting?
> >>> -> Although several (most) mail clients use ',' I could also accept to
> >>> use the semicolon ';'. So is it ',' or ';'?
> >>>
> >>> o Do we want to use your code example to make the splitting process more
> >>> smart?
> >>> -> In order to not make it too complicated I would say 'No' (although
> >>> I appreciate your code example).
> >>>
> >>> What do you think?
> >>>
> >>>
> >> I think it's a waste of time to write this kind of parser in Python. :)
> >>
> >> Teach mailer.py to expect a Python list in the to_addr option it the
> >> character in the option value is a bracket. So, if you write:
> >>
> >> to_addr = [ 'list',
> >> 'of',
> >> 'mail',
> >> 'addresses' ]
> >>
> >> you can simply evaluate the option's value and get a Python list object.\
> >> On the con side, the list elements would have to be valid Python
> >> strings, using Python's quoting rules.
> >>
> >
> > At first thought, yes, great idea. No changes of config file needed
> > (except a comment about the new feature), no deprecation and my goal
> > achieved.
> >
> > But then I tried to implement the "you can simply evaluate
> > the option's value and get a Python list object." idea...
> > After doing some internet research I found out that there doesn't seem
> > to be any simple way to do this.
> >
> > So unless you are able to tell me how to simply do the string to list
> > conversion we have to find another solution.
> >
> So much for "internet research," then.
>
> $ python
> Python 2.4.2 (#67, Sep 28 2005, 12:41:11) [MSC v.1310 32 bit (Intel)] on win32
> Type "help", "copyright", "credits" or "license" for more information.
> >>> p = eval("['this', 'is', 'a', 'list', 'of', 'strings']")
> >>> print p
> ['this', 'is', 'a', 'list', 'of', 'strings']
> >>> print ' '.join(p)
> this is a list of strings
> >>> ^Z
>
>
> I fail to see how it could be simpler.
>

This is indeed a very simple solution and, believe it or not,
I also found this solution. But after doing some more
research I discovered that this is a big security hole because
with the eval function any Python code could be executed!

Mathias

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Jun 8 17:20:27 2006

This is an archived mail posted to the Subversion Dev mailing list.