On 6 August 2015 at 13:18, Steven D'Aprano <steve@pearwood.info> wrote:
We can teach people to avoid the risk of command injection attacks by avoiding interpolation, but the proposed syntax makes it easier to use interpolation without noticing.
We actually aim to teach folks to avoid shell injection attacks by avoiding the shell: https://docs.python.org/3/library/subprocess.html#security-considerations If you invoke the shell in any kind of networked application, it's inevitable that you're eventually going to let a shell injection attack through (at which point you better hope you have something like SELinux or AppArmor configured to protect your system from your mistake). That said, this is also why I'm a fan of eventually allowing syntax like: !sh("sort $file > uniq > wc -l") !sql("select $col from $table") !html("<html><body>$body</body></html>") that eventually adapts whatever interpolation syntax we decide on here for format strings to other operations like shell commands and SQL queries. The more time I spend dealing with the practical realities of writing commercial software, the more convinced I became that the right way to do something and the easiest way to do something have to be the same way if we seriously expect people to consistently get it right (and yes, the PEP 466 & 476 discussions had a significant role to play in that change of heart, as did the Unicode changes between Python 2 & 3). When the current easiest way is wrong, the only way to reliably get people to do it right in the future is to provide an even easier way that automatically does the right thing by default (this also helps act as a forcing function that encourages folks to learn "how to do it right" in older versions, even if the new feature itself isn't available there). It's not a panacea (bad habits are hard to unlearn), but we can at least try to help stop particularly pernicious problems getting worse. Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia