[Python-3000] Addition to PEP 3101

Jim Jewett jimjjewett at gmail.com
Tue May 1 16:31:08 CEST 2007

On 4/30/07, Talin <talin at acm.org> wrote:
> Greg Ewing wrote:
> > Patrick Maupin wrote:

> >> Method calls are deliberately disallowed by the PEP, so that the
> >> implementation has some hope of being securable.

> > If attribute access is allowed, arbitrary code can already
> > be triggered, so I don't see how this makes a difference
> > to security.

> Not quite. It depends on what you mean by 'arbitrary code'. ...

If I understood that correctly, then

(1)  The format string cannot run arbitrary code, but
(2)  The formatted objects themselves can.

This is probably a feature, since you can pass proxy objects, but it
should definately be called out explicitly in the security section
(currently just some text in Simple and Compound Names section).
Example Text:

Note that while (literal strings used as) format strings are
effectively sandboxed, the formatted objects themselves are not.

    "My name is {0[name]}".format(evil_map)

would still allow evil_map to run arbitrary code.


More information about the Python-3000 mailing list