<html><head></head><body>Isn't it already like this? It's no harder than:<br>
<br>
Popen('%s a.c' % cc, shell=True)<br>
<br>
Heck, I used to do that when I started programming (I hadn't yet learned about injection stuff).<br>
<br>
If someone is uneducated about injection, they *will do it anyway*. The introduction of format strings (f-strings sounds like a certain word to me...) wouldn't make it any easier, really.<br><br><div class="gmail_quote">On August 11, 2015 1:22:06 PM CDT, Wes Turner <wes.turner@gmail.com> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div dir="ltr"><br /><div class="gmail_extra"><br /><div class="gmail_quote">On Tue, Aug 11, 2015 at 12:52 PM, Wes Turner <span dir="ltr"><<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>></span> wrote:<br /><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">... I'm now -1000 on this.<div><br /></div><div><span style="font-size:12.8000001907349px">~"Make it hard to do wrong; or easy to do correctly"</span><br /></div><div><span style="font-size:12.8000001907349px"><br /></span></div><div><span style="font-size:12.8000001907349px">... Here are these, (which should also not be used for porting shell scripts to python): <a href="http://jinja.pocoo.org/docs/dev/templates/#expressions" target="_blank">http://jinja.pocoo.org/docs/dev/templates/#expressions</a></span></div></div></blockquote><div><br /></div><div><div>So, again, I am </div><div>-1000 on (both of these
PEPs)</div><div>because they are just another way of making it too easy to do the wrong thing.</div><div><br /></div><div>* #1 most prevalent security vulnerability:</div><div><table border="1" cellpadding="1" cellspacing="1" width="100%" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;font-size:medium"><tbody><tr><td class="ltpurplebackground" style="font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;background-color:rgb(221,226,245)!important"><b><font size="+5">1</font></b></td><td class="ltgreybackground" style="font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;background-color:rgb(238,238,238)"><font size="+1"><b><a target="_blank" href="http://cwe.mitre.org/data/definitions/89.html" style="color:rgb(0,0,102)">CWE-89</a>: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</b></font></td></tr></tbody></table></div><div><br /></div><div> * ORM with parametrization, quoting, escaping and lists of
reserved words </div><div> * SQLAlchemy</div><div><br /></div><div>* #2 most prevalent security vulnerability:</div><table border="1" cellpadding="1" cellspacing="1" width="100%" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;font-size:medium"><tbody><tr><td class="ltpurplebackground" style="font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;background-color:rgb(221,226,245)!important"><b><font size="+5">2</font></b></td><td class="ltgreybackground" style="font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;background-color:rgb(238,238,238)"><font size="+1"><b><a target="_blank" href="http://cwe.mitre.org/data/definitions/78.html" style="color:rgb(0,0,102)">CWE-78</a>: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')</b></font></td></tr></tbody></table><div><br /></div><div> * Command preparation library (which builds a tuple() for exec)</div><div> * Sarge,
subprocess.call(shell=False=0) </div></div><div><br /></div><div><br /></div><div>- [ ] DOC: (Something like this COULD/SHOULD be in the % and str.format docs as well)</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br /><div class="gmail_quote">On Tue, Aug 11, 2015 at 12:48 PM, Wes Turner <span dir="ltr"><<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>></span> wrote:<br /><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><br /><div class="gmail_quote"><div><div>On Tue, Aug 11, 2015 at 12:08 PM, Nick Coghlan <span dir="ltr"><<a href="mailto:ncoghlan@gmail.com" target="_blank">ncoghlan@gmail.com</a>></span> wrote:<br /><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">[off list]<br />
<span><br />
On 12 August 2015 at 01:28, Wes Turner <<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>> wrote:<br />
><br />
> On Aug 11, 2015 10:19 AM, "Wes Turner" <<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>> wrote:<br />
>><br />
>><br />
>> On Aug 11, 2015 10:10 AM, "Alexander Walters" <<a href="mailto:tritium-list@sdamon.com" target="_blank">tritium-list@sdamon.com</a>><br />
>> wrote:<br />
>> ><br />
>> > This may seam like a simplistic solution to i18n, but why not just add a<br />
>> > method to string objects (assuming we implement f-strings) that just returns<br />
>> > the original, unprocessed string. If the string was not an f-string, it<br />
>> > just returns self. The gettext module can be modified, I think trivially,<br />
>> > to use the method instead of the string directly.<br />
>> ><br />
>> > Is this a horrible idea?<br />
><br />
> - [ ] review all string interpolation (for "injection")<br />
> * [ ] review every '%'<br />
> * [ ] review every ".format()"<br />
> * [ ] review every f-string (AND LOCALS AND GLOBALS)<br />
> * every os.system, os.exec*, subprocess.Popen<br />
> * every unclosed tag<br />
> * every unescaped control character<br />
><br />
> This would create work we don't need.<br />
><br />
> Solution: __str_shell_ escapes, adds slashes, and quotes. __str__SQL__ refs<br />
> a global list of reserved words.<br />
<br />
</span>Wes, we're not mind readers - I know you're trying to be concise to<br />
save people time when reading, but these bullet-point-only posts are<br />
*harder* to read than if you wrote out a full explanation of what you<br />
meant. With this cryptic form, we have to try to guess the missing<br />
pieces, which is slower and less certain than having them already<br />
written out in the post.<br /></blockquote><div><br /></div></div></div><div>~"This is another way to make it easier to do the wrong thing; where a better solution (AND/OR DOCS ON ALL STRING INTERPOLATION) would be less likely to increase the ocurrence of CWE TOP 25 #1 and #2"<br /></div><div><br /></div><div>printf is often dangerous and wrng because things aren't escaped (or scope is not controlled, or things are mutable)</div><div><br /></div><div><br /></div><div>~"Make it hard to do; or easy to do the right way"</div><span><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br />
Regards,<br />
<div><div>Nick.<br />
<br />
--<br />
Nick Coghlan | <a href="mailto:ncoghlan@gmail.com" target="_blank">ncoghlan@gmail.com</a> | Brisbane, Australia<br />
</div></div></blockquote></span></div><br /></div></div>
</blockquote></div><br /></div>
</div></div></blockquote></div><br /></div></div>
<p style="margin-top: 2.5em; margin-bottom: 1em; border-bottom: 1px solid #000"></p><pre class="k9mail"><hr /><br />Python-ideas mailing list<br />Python-ideas@python.org<br /><a href="https://mail.python.org/mailman/listinfo/python-ideas">https://mail.python.org/mailman/listinfo/python-ideas</a><br />Code of Conduct: <a href="http://python.org/psf/codeofconduct/">http://python.org/psf/codeofconduct/</a></pre></blockquote></div><br>
-- <br>
Sent from my Nexus 5 with K-9 Mail. Please excuse my brevity.</body></html>