(Apologies for the EN)
- classBase = eval(data[""] + "." + data[""].title())
- except NameError:
- logger.error("Don't know how to handle message type: \"%s\"", data[""])
+ m = import_module("messagetypes." + data[""])
+ classBase = getattr(m, data[""].title())
+ except (NameError, ImportError):
+ logger.error("Don't know how to handle message type: \"%s\"", data[""], exc_info=True)
Yes, eval() is quite dangerous to use in almost any context other than on static, internal data. Definitely not safe to use on anything tainted by user input.
Looking at their security tagged issues, Firejail looks like a good step in the direction in general for sandboxing interactions:
https://github.com/Bitmessage/PyBitmessage/labels/security