The previous section discussed eval(); the same considerations also apply to exec().
Generally, the set of available globals() is tightly controlled. Access to the os and subprocess modules, or the __import__() function, can be eliminated by removing them from the globals provided to exec().
If you have an evil programmer who will cleverly corrupt the configuration files, then recall that they have complete access to the entire Python source. So, why would they waste time cleverly tweaking configuration files when they can just change the application code itself?
One question can be summarized like this: What if someone thinks they can monkey patch the application by forcing new code in via the configuration file? The person trying this is just as likely to break the application through a number of other equally clever or deranged channels. Avoiding...
 
                                             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
     
         
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                