<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 11, 2015 at 1:37 PM, Ryan Gonzalez <span dir="ltr"><<a href="mailto:rymg19@gmail.com" target="_blank">rymg19@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Isn't it already like this? It's no harder than:<br>
<br>
Popen('%s a.c' % cc, shell=True)<br>
<br>
Heck, I used to do that when I started programming (I hadn't yet learned about injection stuff).<br>
<br>
If someone is uneducated about injection, they *will do it anyway*. The introduction of format strings (f-strings sounds like a certain word to me...) wouldn't make it any easier, really.<br></div></blockquote><div><br></div><div>Well, exactly. So I/we must grep for shell=True, %, .format(, .format_globals(**kwargs),</div><div>and f" or f'</div><div>and update static analysis tools (to essentially re-AST string.Template with merge(globals, locals, kwargs))</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><br><div class="gmail_quote"><div><div class="h5">On August 11, 2015 1:22:06 PM CDT, Wes Turner <<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>> wrote:</div></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="h5">
<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 11, 2015 at 12:52 PM, Wes Turner <span dir="ltr"><<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">... I'm now -1000 on this.<div><br></div><div><span style="font-size:12.8000001907349px">~"Make it hard to do wrong; or easy to do correctly"</span><br></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">... Here are these, (which should also not be used for porting shell scripts to python): <a href="http://jinja.pocoo.org/docs/dev/templates/#expressions" target="_blank">http://jinja.pocoo.org/docs/dev/templates/#expressions</a></span></div></div></blockquote><div><br></div><div><div>So, again, I am </div><div>-1000 on (both of these
PEPs)</div><div>because they are just another way of making it too easy to do the wrong thing.</div><div><br></div><div>* #1 most prevalent security vulnerability:</div><div><table border="1" cellpadding="1" cellspacing="1" width="100%" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;font-size:medium"><tbody><tr><td style="font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;background-color:rgb(221,226,245)!important"><b><font size="+5">1</font></b></td><td style="font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;background-color:rgb(238,238,238)"><font size="+1"><b><a href="http://cwe.mitre.org/data/definitions/89.html" style="color:rgb(0,0,102)" target="_blank">CWE-89</a>: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</b></font></td></tr></tbody></table></div><div><br></div><div> * ORM with parametrization, quoting, escaping and lists of
reserved words </div><div> * SQLAlchemy</div><div><br></div><div>* #2 most prevalent security vulnerability:</div><table border="1" cellpadding="1" cellspacing="1" width="100%" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;font-size:medium"><tbody><tr><td style="font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;background-color:rgb(221,226,245)!important"><b><font size="+5">2</font></b></td><td style="font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;background-color:rgb(238,238,238)"><font size="+1"><b><a href="http://cwe.mitre.org/data/definitions/78.html" style="color:rgb(0,0,102)" target="_blank">CWE-78</a>: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')</b></font></td></tr></tbody></table><div><br></div><div> * Command preparation library (which builds a tuple() for exec)</div><div> * Sarge,
subprocess.call(shell=False=0) </div></div><div><br></div><div><br></div><div>- [ ] DOC: (Something like this COULD/SHOULD be in the % and str.format docs as well)</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 11, 2015 at 12:48 PM, Wes Turner <span dir="ltr"><<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Tue, Aug 11, 2015 at 12:08 PM, Nick Coghlan <span dir="ltr"><<a href="mailto:ncoghlan@gmail.com" target="_blank">ncoghlan@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">[off list]<br>
<span><br>
On 12 August 2015 at 01:28, Wes Turner <<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>> wrote:<br>
><br>
> On Aug 11, 2015 10:19 AM, "Wes Turner" <<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>> wrote:<br>
>><br>
>><br>
>> On Aug 11, 2015 10:10 AM, "Alexander Walters" <<a href="mailto:tritium-list@sdamon.com" target="_blank">tritium-list@sdamon.com</a>><br>
>> wrote:<br>
>> ><br>
>> > This may seam like a simplistic solution to i18n, but why not just add a<br>
>> > method to string objects (assuming we implement f-strings) that just returns<br>
>> > the original, unprocessed string. If the string was not an f-string, it<br>
>> > just returns self. The gettext module can be modified, I think trivially,<br>
>> > to use the method instead of the string directly.<br>
>> ><br>
>> > Is this a horrible idea?<br>
><br>
> - [ ] review all string interpolation (for "injection")<br>
> * [ ] review every '%'<br>
> * [ ] review every ".format()"<br>
> * [ ] review every f-string (AND LOCALS AND GLOBALS)<br>
> * every os.system, os.exec*, subprocess.Popen<br>
> * every unclosed tag<br>
> * every unescaped control character<br>
><br>
> This would create work we don't need.<br>
><br>
> Solution: __str_shell_ escapes, adds slashes, and quotes. __str__SQL__ refs<br>
> a global list of reserved words.<br>
<br>
</span>Wes, we're not mind readers - I know you're trying to be concise to<br>
save people time when reading, but these bullet-point-only posts are<br>
*harder* to read than if you wrote out a full explanation of what you<br>
meant. With this cryptic form, we have to try to guess the missing<br>
pieces, which is slower and less certain than having them already<br>
written out in the post.<br></blockquote><div><br></div></div></div><div>~"This is another way to make it easier to do the wrong thing; where a better solution (AND/OR DOCS ON ALL STRING INTERPOLATION) would be less likely to increase the ocurrence of CWE TOP 25 #1 and #2"<br></div><div><br></div><div>printf is often dangerous and wrng because things aren't escaped (or scope is not controlled, or things are mutable)</div><div><br></div><div><br></div><div>~"Make it hard to do; or easy to do the right way"</div><span><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Regards,<br>
<div><div>Nick.<br>
<br>
--<br>
Nick Coghlan | <a href="mailto:ncoghlan@gmail.com" target="_blank">ncoghlan@gmail.com</a> | Brisbane, Australia<br>
</div></div></blockquote></span></div><br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>
<p style="margin-top:2.5em;margin-bottom:1em;border-bottom:1px solid #000"></p></div></div><span class=""><pre><hr><br>Python-ideas mailing list<br><a href="mailto:Python-ideas@python.org" target="_blank">Python-ideas@python.org</a><br><a href="https://mail.python.org/mailman/listinfo/python-ideas" target="_blank">https://mail.python.org/mailman/listinfo/python-ideas</a><br>Code of Conduct: <a href="http://python.org/psf/codeofconduct/" target="_blank">http://python.org/psf/codeofconduct/</a></pre></span></blockquote></div><span class="HOEnZb"><font color="#888888"><br>
-- <br>
Sent from my Nexus 5 with K-9 Mail. Please excuse my brevity.</font></span></div></blockquote></div><br></div></div>