localeval: comment on security issues

Minor syntax fixes. Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2014-12-23 10:12:23 +01:00 · 2014-12-23 10:12:23 +01:00 · 4589cfeff2
commit 4589cfeff2
parent e613f6992d
1 changed files with 11 additions and 6 deletions
--- a/offlineimap/localeval.py
+++ b/offlineimap/localeval.py
@ -1,7 +1,6 @@
 """Eval python code with global namespace of a python source file."""

-# Copyright (C) 2002 John Goerzen
-# <jgoerzen@complete.org>
+# Copyright (C) 2002-2014 John Goerzen & contributors
 #
 #    This program is free software; you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@ -24,18 +23,24 @@ except:
    pass

 class LocalEval:
+    """Here is a powerfull but very dangerous option, of course.
+
+    Assume source file to be ASCII encoded."""
+
    def __init__(self, path=None):
-        self.namespace={}
+        self.namespace = {}

        if path is not None:
-            file=open(path, 'r')
-            module=imp.load_module(
+            # FIXME: limit opening files owned by current user with rights set
+            # to fixed mode 644.
+            file = open(path, 'r')
+            module = imp.load_module(
                '<none>',
                file,
                path,
                ('', 'r', imp.PY_SOURCE))
            for attr in dir(module):
-                self.namespace[attr]=getattr(module, attr)
+                self.namespace[attr] = getattr(module, attr)

    def eval(self, text, namespace=None):
        names = {}