don't use eval() for parsing method in config file

This improves the config file parsing of the method property. It fixes possible code injection via eval() as well as makes parsing a bit more robust by filtering out invalid values, such as the obsolete fantom driver values. Fixes schodet#137
tcwan · Apr 28, 2018 · cad30b1 · cad30b1
1 parent 9851bee
commit cad30b1
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/nxt/locator.py b/nxt/locator.py
@@ -99,7 +99,10 @@ def find_one_brick(host=None, name=None, silent=False, strict=None, debug=False,
         host	= conf.get('Brick', 'host')
         name	= conf.get('Brick', 'name')
         strict	= bool(int(conf.get('Brick', 'strict')))
-        method	= eval('Method(%s)' % conf.get('Brick', 'method'))
+        methods = map(lambda x: x.strip().split('='),
+                      conf.get('Brick', 'method').split(','))
+        method = Method(**{k: v == 'True' for k, v in methods
+                           if k in ('bluetooth', 'usb', 'device')})
     if not strict: strict = True
     if not method: method = Method()