[Python-3000] Proposed changes to PEP3101 advanced string formatting -- please discuss and vote!
Eric V. Smith
eric+python-dev at trueblade.com
Wed Mar 14 12:36:43 CET 2007
Nick Coghlan wrote:
>> Feature: Exception raised if attribute with leading underscore accessed.
>>
>> The syntax supported by the PEP is deliberately limited in an attempt
>> to increase security. This is an additional security measure, which
>> is on by default, but can be optionally disabled if
>> string.flag_format() is used instead of 'somestring'.format().
>
> -0
>
> This is only an issue if implicit access to locals()/globals() is
> permitted, and is unlikely to help much in that case (underscores are
> rarely used with local variables, and those are the most likely to
> contain juicy information which may be leaked)
That's not true. What this feature is trying to prevent is access to
attributes of the passed in objects. For example:
>>> from pep3101 import format
>>> class Foo: pass
...
>>> format("{0.__module__}", Foo())
Traceback (most recent call last):
File "<stdin>", line 1, in ?
ValueError: Leading underscores not allowed in attribute/index strings
at format_string[3]
>>> format("{0.__module__}", Foo(), _allow_leading_underscores=1)
'__main__'
>>> format('{0.__module__.lower}', Foo(), _allow_leading_underscores=1)
'<built-in method lower of str object at 0xf6fd3320>'
The thinking is that the format strings might come from a translation,
or otherwise not be under the direct control of the original programmer.
(I won't go so far as to say it's likely they'll be user-supplied, but
I guess it's possible.)
So be preventing access to attributes with leading underscores, we're
trying to prevent access to arguably private attributes. I'm not sure
it's much of a security measure, but it's something.
Eric.
More information about the Python-3000
mailing list