[Python-3000] Addition to PEP 3101

Jim Jewett jimjjewett at gmail.com
Tue May 1 20:20:01 CEST 2007

On 5/1/07, Guido van Rossum <guido at python.org> wrote:
> On 5/1/07, Jim Jewett <jimjjewett at gmail.com> wrote:

> > Note that while (literal strings used as) format strings are
> > effectively sandboxed, the formatted objects themselves are not.

> >     "My name is {0[name]}".format(evil_map)

> > would still allow evil_map to run arbitrary code.

> And how on earth would that be a security threat?

There are some things you can safely do with even arbitrary objects --
such as appending them to a list.

By mentioning security as a reason to restrict the format, it suggests
that this is another safe context.  It isn't.


More information about the Python-3000 mailing list