localeval: comment on security issues

Minor syntax fixes. Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2014-12-23 10:12:23 +01:00 · 2014-12-23 10:12:23 +01:00 · 4589cfeff2
commit 4589cfeff2
parent e613f6992d
1 changed files with 11 additions and 6 deletions
--- a/offlineimap/localeval.py
+++ b/offlineimap/localeval.py
@ -1,7 +1,6 @@
 """Eval python code with global namespace of a python source file."""

-# Copyright (C) 2002 John Goerzen
-# <jgoerzen@complete.org>
+# Copyright (C) 2002-2014 John Goerzen & contributors
 #
 #    This program is free software; you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@ -24,10 +23,16 @@ except:
    pass

 class LocalEval:
+    """Here is a powerfull but very dangerous option, of course.
+
+    Assume source file to be ASCII encoded."""
+
    def __init__(self, path=None):
        self.namespace = {}

        if path is not None:
+            # FIXME: limit opening files owned by current user with rights set
+            # to fixed mode 644.
            file = open(path, 'r')
            module = imp.load_module(
                '<none>',