[New-bugs-announce] [issue10021] Format parser is too permissive
report at bugs.python.org
Mon Oct 4 18:24:06 CEST 2010
New submission from Alexander Belopolsky <belopolsky at users.sourceforge.net>:
According to the Format String Syntax section , attribute_name must be an identifier. However, the parser does not catch a violation of this rule and happily passes non-indentifier strings to getattribute:
>>> class X:
... def __getattribute__(self, a): return 'foo'
If this is a desirable feature, I think it should be clearly documented because in some cases, for example when formatted objects are proxies to database entries, passing arbitrary strings to __getattribute__ may be wasteful at best and a security hole at worst.
components: Interpreter Core
title: Format parser is too permissive
versions: Python 3.2
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce