<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 6, 2015 at 2:44 PM, Eric V. Smith <span dir="ltr"><<a href="mailto:eric@trueblade.com" target="_blank">eric@trueblade.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 08/06/2015 03:02 PM, Wes Turner wrote:<br>
><br>
><br>
> On Wed, Aug 5, 2015 at 8:58 PM, Terry Reedy <<a href="mailto:tjreedy@udel.edu">tjreedy@udel.edu</a><br>
</span><span class="">> <mailto:<a href="mailto:tjreedy@udel.edu">tjreedy@udel.edu</a>>> wrote:<br>
><br>
> On 8/5/2015 3:34 PM, Yury Selivanov wrote:<br>
><br>
> '\{..}' feels unbalanced and weird.<br>
><br>
><br>
> Escape both. The closing } is also treated specially, and not<br>
> inserted into the string. The compiler scans linearly from left to<br>
> right, but human eyes are not so constrained.<br>
><br>
> s = "abc\{kjljid some long expression jk78738}def"<br>
><br>
> versus<br>
><br>
> s = "abc\{kjljid some long expression jk78738\}def"<br>
><br>
> and how about<br>
><br>
> s = "abc\{kjljid some {long} expression jk78738\}def"<br>
><br>
><br>
> +1: escape \{both\}.<br>
><br>
> Use cases where this is (as dangerous as other string interpolation<br>
> methods):<br>
><br>
> * Shell commands that should be shlex-parsed/quoted<br>
> * (inappropriately, programmatically) writing<br>
> code with manually-added quotes ' and doublequotes "<br>
> * XML,HTML,CSS,SQL, textual query language injection<br>
> * Convenient, but dangerous and IMHO much better handled<br>
> by e.g. MarkupSafe, a DOM builder, a query ORM layer<br>
><br>
> Docs / Utils:<br>
><br>
> * [ ] ENH: AST scanner for these (before i do __futre__ import)<br>
> * [ ] DOC: About string interpolation, in general<br>
<br>
</span>I don't understand what you're trying to say.<br>
<br>
os.system("cp \{cmd}")<br>
<br>
is no better or worse than:<br>
<br>
os.system("cp " + cmd)<br></blockquote><div><br></div><div>All wrong (without appropriate escaping):</div><div><br></div><div> os.system("cp thisinthemiddleofmy\{cmd}.tar")<br></div><div> os.system("cp thisinthemiddleofmy\{cmd\}.tar")<br></div><div> os.system("cp " + cmd)<br></div><div> os.exec*</div><div> os.spawn*</div><div><br></div><div>Okay:</div><div><br></div><div> subprocess.call(('cp', 'thisinthemiddleofmy\{cmd\}.tar')) # shell=True=Dangerous</div><div> sarge.run('cp thisinthemiddleofmy{0!s}.tar', cmd)</div><div> </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Yes, there are lots of opportunities in the world for injection attacks.<br>
This proposal doesn't change that. I don't see how escaping the final }<br>
changes anything.<br>
<span class="HOEnZb"><font color="#888888"><br>
Eric.<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
_______________________________________________<br>
Python-ideas mailing list<br>
<a href="mailto:Python-ideas@python.org">Python-ideas@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/python-ideas" rel="noreferrer" target="_blank">https://mail.python.org/mailman/listinfo/python-ideas</a><br>
Code of Conduct: <a href="http://python.org/psf/codeofconduct/" rel="noreferrer" target="_blank">http://python.org/psf/codeofconduct/</a><br>
</div></div></blockquote></div><br></div></div>