[Python-3000] Addition to PEP 3101
Jim Jewett
jimjjewett at gmail.com
Tue May 1 20:20:01 CEST 2007
On 5/1/07, Guido van Rossum <guido at python.org> wrote:
> On 5/1/07, Jim Jewett <jimjjewett at gmail.com> wrote:
> > Note that while (literal strings used as) format strings are
> > effectively sandboxed, the formatted objects themselves are not.
> > "My name is {0[name]}".format(evil_map)
> > would still allow evil_map to run arbitrary code.
> And how on earth would that be a security threat?
There are some things you can safely do with even arbitrary objects --
such as appending them to a list.
By mentioning security as a reason to restrict the format, it suggests
that this is another safe context. It isn't.
-jJ
More information about the Python-3000
mailing list