[Python-3000] Addition to PEP 3101
Jim Jewett
jimjjewett at gmail.com
Tue May 1 16:31:08 CEST 2007
On 4/30/07, Talin <talin at acm.org> wrote:
> Greg Ewing wrote:
> > Patrick Maupin wrote:
> >> Method calls are deliberately disallowed by the PEP, so that the
> >> implementation has some hope of being securable.
> > If attribute access is allowed, arbitrary code can already
> > be triggered, so I don't see how this makes a difference
> > to security.
> Not quite. It depends on what you mean by 'arbitrary code'. ...
If I understood that correctly, then
(1) The format string cannot run arbitrary code, but
(2) The formatted objects themselves can.
This is probably a feature, since you can pass proxy objects, but it
should definately be called out explicitly in the security section
(currently just some text in Simple and Compound Names section).
Example Text:
Note that while (literal strings used as) format strings are
effectively sandboxed, the formatted objects themselves are not.
"My name is {0[name]}".format(evil_map)
would still allow evil_map to run arbitrary code.
-jJ
More information about the Python-3000
mailing list