473,239 Members | 1,552 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,239 software developers and data experts.

SafeConfigParser can set unsafe values

SafeConfigParser is supposed to be safer than ConfigParser, but calling
set with a string value containing '%' generates exceptions when you
get() it back.

Python 2.5.1 (r251:54863, Apr 25 2007, 21:31:46)
[GCC 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>import configparser
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ImportError: No module named configparser
>>import ConfigParser

x=ConfigParser.SafeConfigParser()
x.add_section('test')
x.set('test', 'a', 'hi%there')
x.get('test', 'a')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.5/ConfigParser.py", line 525, in get
return self._interpolate(section, option, value, d)
File "/usr/lib/python2.5/ConfigParser.py", line 593, in _interpolate
self._interpolate_some(option, L, rawval, section, vars, 1)
File "/usr/lib/python2.5/ConfigParser.py", line 634, in _interpolate_some
"'%%' must be followed by '%%' or '(', found: %r" % (rest,))
ConfigParser.InterpolationSyntaxError: '%' must be followed by '%' or
'(', found: '%there'
ConfigParser does not do this:
>>y=ConfigParser.ConfigParser()
y.add_section('test')
y.set('test', 'a', 'hi%there')
y.get('test', 'a')
'hi%there'
Should SafeConfigParser.set() be escaping automatically?

Hamish
Jul 10 '07 #1
4 3817
Should SafeConfigParser.set() be escaping automatically?

It seems like that would be a nice feature. However, may I offer up
that if you are setting an option and then later on getting that value
back in the same program, you probably should have used some other
storage mechanism in the first place. That is, you shouldn't store
values needed during the runtime of your program in a ConfigParser
instance.

As far as I can tell, these are the valid use cases for ConfigParser:

1. Use ConfigParser to read values from an config file
- This implies .read() followed by .get()s
2. Use ConfigParser to create and write a config file
- This implies .set()s followed by .write()
3. Use ConfigParser to read, modify and write a config file.
- This implies .read() followed by .get()s followed by .set()s
followed by .write()

None of the above use cases involve calling .get() after a .set().
Perhaps I am missing a use case though.

While I think you have technically pointed out a potential bug, I'm
not sure why it matters. Such a bug only comes about for (IMHO) flawed
use cases.

Matt

Jul 10 '07 #2
En Tue, 10 Jul 2007 20:53:51 -0300, Matimus <mc******@gmail.comescribió:
>Should SafeConfigParser.set() be escaping automatically?

It seems like that would be a nice feature. However, may I offer up
that if you are setting an option and then later on getting that value
back in the same program, you probably should have used some other
storage mechanism in the first place. That is, you shouldn't store
values needed during the runtime of your program in a ConfigParser
instance.

As far as I can tell, these are the valid use cases for ConfigParser:

1. Use ConfigParser to read values from an config file
- This implies .read() followed by .get()s
2. Use ConfigParser to create and write a config file
- This implies .set()s followed by .write()
3. Use ConfigParser to read, modify and write a config file.
- This implies .read() followed by .get()s followed by .set()s
followed by .write()

None of the above use cases involve calling .get() after a .set().
Perhaps I am missing a use case though.

While I think you have technically pointed out a potential bug, I'm
not sure why it matters. Such a bug only comes about for (IMHO) flawed
use cases.
This not only happens when get() after a set(), but with all the use cases
above. An intervening write()/read() does not change things.
But I'm not sure it is a bug really. If all % were escaped automatically,
there is no way to write a templatized value. Maybe SafeConfigParser.set
should grow an escape argument, controlling whether one wants the value
escaped or not. For compatibility reasons should default to False, for
usability reasons should default to True.

--
Gabriel Genellina

Jul 11 '07 #3
Matimus wrote:
>Should SafeConfigParser.set() be escaping automatically?

It seems like that would be a nice feature. However, may I offer up
that if you are setting an option and then later on getting that value
back in the same program, you probably should have used some other
storage mechanism in the first place. That is, you shouldn't store
values needed during the runtime of your program in a ConfigParser
instance.
I agree, but that was a trivial example to demonstrate the problem.
Writing the file out to disk writes it exactly as set(), causing a get()
to fail just the same later.
While I think you have technically pointed out a potential bug, I'm
not sure why it matters. Such a bug only comes about for (IMHO) flawed
use cases.
Sorry, that's incorrect.
Hamish
Jul 11 '07 #4
I agree, but that was a trivial example to demonstrate the problem.
Writing the file out to disk writes it exactly as set(), causing a get()
to fail just the same later.
No... The above statement is not true.

The following code:

Expand|Select|Wrap|Line Numbers
  1. from ConfigParser import *
  2. import sys
  3.  
  4. cp = SafeConfigParser()
  5. cp.add_section("sect")
  6. cp.set("sect","opt","hello%world")
  7.  
  8. cp.write(sys.stdout)
  9.  
Produces this output:
[sect]
opt = hello%world

The write method never calls get. However, when you read the file that
was output by the above code using .get(...) will raise an error. You
can avoid that error by setting the optional 'raw' parameter to True.

Jul 11 '07 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: Jon Milner | last post by:
How do I declare that my code is unsafe? Sorry the help files at my University have not been installed!
7
by: _ed_ | last post by:
I'd like to build a class or struct composed of pointers to variables. Does this require dropping into an 'unsafe' block, or is there a trick? .... int value1 = 1234; bool value2 = false;...
2
by: James Dean | last post by:
I cannot access my array of points in unsafe mode....why?.....i can see the values but when i do pointPtr->x then it says it cannot access the values. The pointPtr->X has no value. *** Sent...
0
by: Robert Rae | last post by:
I'm calling the C++ function below from C#: GENCLIENT_API int CleanseEx(char ncSystem, const char *strServer, const char **pNames, const char **pInputData, const char **pRules, char...
0
by: Robert Rae | last post by:
I'm calling the C++ function below from C#: GENCLIENT_API int CleanseEx(char ncSystem, const char *strServer, const char **pNames, const char **pInputData, const char **pRules, char...
7
by: TomHL | last post by:
hello, - I have a Bitmap Object named: bmp1 - I already have the numerical values of:red,blue and green colors + I have the X and Y cordinates. How do I set the pixel value via safe code on...
3
by: TomHL | last post by:
this code set the color that I want only on the first pixel. I have an X & Y values of the pixel that I want to change. How do I change the pointer's position according to my X & Y values that I...
0
by: Robert Rae | last post by:
I'm calling the C++ function below from C#: GENCLIENT_API int CleanseEx(char ncSystem, const char *strServer, const char **pNames, const char **pInputData, const char **pRules, char...
3
by: DR | last post by:
I heard there is some trick to referencing statics in C# CLR stored procedure without having to mark the assembly as unsafe. Does anyone know this? This is usefull as the case of needing a little...
3
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
0
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
0
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
1
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.