Those of you that have gone through the forum have probably seen @austen’s thread titled Thinking out loud. If you haven’t, you should check it out. It’s kind of like a running blog that he keeps here, on the forum, outlining some of the thoughts he’s having on whatever project he’s currently working on. I operate in a similar way: I find that I tend to overcome obstacles if I “think out loud” and document my thoughts in some way (and, therefore, I’m stealing his idea). It falls in line with the advice Zed gives us, where we should write out our problem and what it is we’re trying to accomplish. Plus, you get to see other people sometimes struggle and overcome certain obstacles in programming, which is reassuring in its own way.
I’m currently working on the very last exercise in Learn Python 3 the Hard Way, where we piece together everything we’ve learned in the last ten or so exercises. I’ve gotten the code working, now I need to start refactoring it and patching up some of the bugs that we’ve implemented. I’m starting at the very bottom of our planisphere
module, with our load_room
and name_room
functions:
def load_room(name):
"""
There is a potential security problem here.
Who gets to set name? Can that expose a variable?
"""
return globals().get(name)
def name_room(room):
"""
Same possible security problem. Can you trust room?
What's a better solution than this globals lookup?
"""
for key, value in globals().items():
if value == room:
return key
In short, load_room
looks for our room’s name in the global namescape and grabs its vale, which is the object we’re looking to pass when we render our template. name_room
returns the key we’re using to help “set up” our session. These parts I understood.
What I didn’t understand was our security issue concerning the globals()
lookup. Zed was able to shed some light on this, though:
In this context, we could whitelist our global variables. This way, we control what name
is set to, and users can’t go in and hack our script apart (hopefully).