Truth be told, gonna' be tough to stop people with python files if they really are that intent on evilness. However, if you're really paranoid about one, there are some quick checks you can do:
Since the easiest way to screw up a computer is to delete files or run programs, one of the easiest way to accomplish this through python is through system commands. In python, watch out for any script that imports sys and uses the command...
sys.command()
The argument for this function is a string that represents a command that you might see typed in a ms-dos window, so if you see:
sys.command("format c:")
You should probably put it down. Using a utility like grep will allow you to search for stuff like this easier. Searching for "command" might yeild many results, so you'll probably want to search for sys and see if it's ever imported in any mod files. Remember that a coder could say:
Code:
from sys import *
...
command("aReallyDevastatingCommand")
So looking for sys.command won't do it alone. Besides, there might be other commands in the sys module that can be used for bad purposes. It's probably better off that you ask the modder what they use the sys module for, even going so far as to ask them to implicitly declare what functions from sys they're using.
Code:
from sys import getwindowsversion
And while I'm thinking of it, I don't think there's much reason to use a lot of the stuff out the the sys module anyway, so be cautious with those anyway. That's not to say that anyone that imports the sys module into one of their python files are up to nasty things. An example is perhaps they wish to use sys.getwindowsversion() to put what version of windows you have in a log file incase an exception is raised (perhaps the problem is something that is Windows 98 specific, let's say).
The same goes with the os module. In my GEMP project (an mp3 player), I use this module to find and load mp3 files using the os.join and os.walk functions, but watch out if you see someone using calls like os.remove(), os.removedirs() or os.rmdir(). Most modders probably won't need this, since all of the data files to be loaded will be loaded by civ by adding entries in XML files about what files to add (such as their own interface files, music, etc).
Edit: Another function that you should look out for is eval(). This basically takes a string and evaluates it as if a python command. So eval("print 5") is the same as typing "print 5" at a python shell and hitting enter. This should almost never be needed, so watch out if any mod uses it.
So, you can use grep to search for imports inside of python files. If you are ever suspicous, ask the mod creator in their mod's thread what the code in question is for. If you're still suspicious, ask a trusted python coder or just live life without that mod.
Edit:
One more thought: Anyone worth their dime trying to ruin your computer with a python mod is probably got a very crafty way of making their code look so strange that a first glance at the code is not enough to see what it does. An example might be breaking up the string "format c:" into multiple innocent-looking strings and then taking bits and pieces to create their string, which makes grep tough to use to find them. Really, you're only defense, short of not running it, is looking through
all the code.
As for when the .dll's from SDK mods start coming out, checking the code that comes with the dll's does nothing if you use the dll supplied, since it's tough to check if the dll supplied is actually a result of compiling the code supplied. If you really want to be safe, not only will you have to check the code, but you'll have to be able to compile it yourself.
i missunderstood your answer, i thought it was offenssive! so sorry !
