From cad30b1a6e02914c3e69cb6a017a052e334bce78 Mon Sep 17 00:00:00 2001
From: David Lechner <david@lechnology.com>
Date: Fri, 27 Apr 2018 23:44:39 -0500
Subject: [PATCH] don't use eval() for parsing method in config file

This improves the config file parsing of the method property. It fixes
possible code injection via eval() as well as makes parsing a bit more
robust by filtering out invalid values, such as the obsolete fantom
driver values.

Fixes #137
---
 nxt/locator.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/nxt/locator.py b/nxt/locator.py
index 17d0892..b91cd4b 100644
--- a/nxt/locator.py
+++ b/nxt/locator.py
@@ -99,7 +99,10 @@ def find_one_brick(host=None, name=None, silent=False, strict=None, debug=False,
         host	= conf.get('Brick', 'host')
         name	= conf.get('Brick', 'name')
         strict	= bool(int(conf.get('Brick', 'strict')))
-        method	= eval('Method(%s)' % conf.get('Brick', 'method'))
+        methods = map(lambda x: x.strip().split('='),
+                      conf.get('Brick', 'method').split(','))
+        method = Method(**{k: v == 'True' for k, v in methods
+                           if k in ('bluetooth', 'usb', 'device')})
     if not strict: strict = True
     if not method: method = Method()