[Python-3000] Addition to PEP 3101
Guido van Rossum
guido at python.org
Tue May 1 18:48:43 CEST 2007
On 5/1/07, Jim Jewett <jimjjewett at gmail.com> wrote:
> On 4/30/07, Talin <talin at acm.org> wrote:
> > Greg Ewing wrote:
> > > Patrick Maupin wrote:
>
> > >> Method calls are deliberately disallowed by the PEP, so that the
> > >> implementation has some hope of being securable.
>
> > > If attribute access is allowed, arbitrary code can already
> > > be triggered, so I don't see how this makes a difference
> > > to security.
>
> > Not quite. It depends on what you mean by 'arbitrary code'. ...
>
> If I understood that correctly, then
>
> (1) The format string cannot run arbitrary code, but
> (2) The formatted objects themselves can.
>
> This is probably a feature, since you can pass proxy objects, but it
> should definately be called out explicitly in the security section
> (currently just some text in Simple and Compound Names section).
> Example Text:
>
>
> Note that while (literal strings used as) format strings are
> effectively sandboxed, the formatted objects themselves are not.
>
> "My name is {0[name]}".format(evil_map)
>
> would still allow evil_map to run arbitrary code.
And how on earth would that be a security threat?
--
--Guido van Rossum (home page: http://www.python.org/~guido/)
More information about the Python-3000
mailing list