[Python-3000] Addition to PEP 3101

Jim Jewett jimjjewett at gmail.com
Tue May 1 20:39:59 CEST 2007

On 5/1/07, Guido van Rossum <guido at python.org> wrote:
> On 5/1/07, Jim Jewett <jimjjewett at gmail.com> wrote:

> > There are some things you can safely do with even arbitrary objects --
> > such as appending them to a list.

> > By mentioning security as a reason to restrict the format, it suggests
> > that this is another safe context.  It isn't.

> But your presumption that the map is already evil makes it irrelevant
> whether the format is safe or not. Having the evil map is the problem,
> not passing it to the format operation.

Using a map was probably misleading.  Let me rephrase:

While the literal string itself is safe, the format function is only
as safe as the objects being formatted.  The example below gets
person.name; if the person object itself is malicious, then even this
attribute access could run arbitrary code.

     "My name is {0.name}".format(person)


More information about the Python-3000 mailing list