[Python-3000] Addition to PEP 3101
Patrick Maupin
pmaupin at gmail.com
Tue May 1 20:52:20 CEST 2007
On 5/1/07, Jim Jewett <jimjjewett at gmail.com> wrote:
> On 5/1/07, Guido van Rossum <guido at python.org> wrote:
> > But your presumption that the map is already evil makes it irrelevant
> > whether the format is safe or not. Having the evil map is the problem,
> > not passing it to the format operation.
>
> Using a map was probably misleading. Let me rephrase:
>
> While the literal string itself is safe, the format function is only
> as safe as the objects being formatted. The example below gets
> person.name; if the person object itself is malicious, then even this
> attribute access could run arbitrary code.
>
> "My name is {0.name}".format(person)
>
> -jJ
There is a (perhaps misguided) consensus that the format() operation
ought to have the property that a programmer can write a program which
will not have an issue with potentially hostile strings. (Personally,
I view security as an open-ended problem, and don't deal with hostile
strings without a LOT of massaging.)
It is, and will continue to be the case, that the programmer can
EASILY write code that would do something bad with a given format
string, and yet not do something bad with another format string. This
is true even with the percent operator and a dictionary (which might
be subclassed to do something evil on a lookup operator).
All the format() operation can do to help in this instance is a few
minor restriction. Don't allow calls, don't allow lookups of
attributes with leading underscores. This makes it relatively easy to
write "format-safe" objects. Does it make it impossible to write a
"format-unsafe" object? No, and that was never the intention.
Regards,
Pat
More information about the Python-3000
mailing list