[Python-3000] Proposed changes to PEP3101 advanced string formatting -- please discuss and vote!
Eric V. Smith
eric+python-dev at trueblade.com
Wed Mar 14 14:55:28 CET 2007
Eric V. Smith wrote:
> Nick Coghlan wrote:
>>> Feature: Exception raised if attribute with leading underscore accessed.
>>>
>>> The syntax supported by the PEP is deliberately limited in an attempt
>>> to increase security. This is an additional security measure, which
>>> is on by default, but can be optionally disabled if
>>> string.flag_format() is used instead of 'somestring'.format().
>> -0
>>
>> This is only an issue if implicit access to locals()/globals() is
>> permitted, and is unlikely to help much in that case (underscores are
>> rarely used with local variables, and those are the most likely to
>> contain juicy information which may be leaked)
>
> That's not true. What this feature is trying to prevent is access to
> attributes of the passed in objects. For example:
I should have said "It's not an issue only if locals()/globals() are
allowed". It is true that automatic locals()/globals() magnifies this
issue, but it exists even without it.
Eric.
More information about the Python-3000
mailing list