From 4589cfeff2fad8db016f54ba05e57ef2fe0aa51f Mon Sep 17 00:00:00 2001
From: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
Date: Tue, 23 Dec 2014 10:12:23 +0100
Subject: [PATCH] localeval: comment on security issues

Minor syntax fixes.

Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
---
 offlineimap/localeval.py | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/offlineimap/localeval.py b/offlineimap/localeval.py
index 22014e6..e7d656f 100644
--- a/offlineimap/localeval.py
+++ b/offlineimap/localeval.py
@@ -1,7 +1,6 @@
 """Eval python code with global namespace of a python source file."""
 
-# Copyright (C) 2002 John Goerzen
-# <jgoerzen@complete.org>
+# Copyright (C) 2002-2014 John Goerzen & contributors
 #
 #    This program is free software; you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -24,18 +23,24 @@ except:
     pass
 
 class LocalEval:
+    """Here is a powerfull but very dangerous option, of course.
+
+    Assume source file to be ASCII encoded."""
+
     def __init__(self, path=None):
-        self.namespace={}
+        self.namespace = {}
 
         if path is not None:
-            file=open(path, 'r')
-            module=imp.load_module(
+            # FIXME: limit opening files owned by current user with rights set
+            # to fixed mode 644.
+            file = open(path, 'r')
+            module = imp.load_module(
                 '<none>',
                 file,
                 path,
                 ('', 'r', imp.PY_SOURCE))
             for attr in dir(module):
-                self.namespace[attr]=getattr(module, attr)
+                self.namespace[attr] = getattr(module, attr)
 
     def eval(self, text, namespace=None):
         names = {}