[Python-3000] [Python-Dev] Issues with PEP 3101 (string formatting)

[Greg Falcon]

On 6/19/07, Chris McDonough <chrism at plope.com> wrote:
> Given that security is a concern at all, the only truly reasonable
> way to "limit security issues" is to disallow item and attribute
> access completely within the string templating expression syntax.  It
> seems gratuituous to me to encourage string templating expressions
> with item/attribute access, given that you could do it within the
> format arguments just as easily in the 99% case, and we've (well...
> I've) happily been living with that restriction for years now.
>
> But if this syntax is preserved, there really should be no *default*
> restrictions on the traversable names within an expression because
> this will almost certainly become a hard-to-explain, hard-to-justify
> bug magnet as it has become in Zope.

This sounds exactly right to me.  I don't have strong feelings either
way about attribute lookups in formatting strings, or the security
problems they raise.  But while it seems a reasonable stance that
user-injected getattr()s may pose a security problem, what seems
indefensible is the stance that user-injected getattr()s are okay
precisely when the attribute being looked up doesn't start with an
underscore.

A single underscore prefix is a hint to human readers, not to the
language itself, and things should stay that way.

Greg F