[Python-3000] Addition to PEP 3101

Patrick Maupin pmaupin at gmail.com
Tue May 1 20:52:20 CEST 2007

On 5/1/07, Jim Jewett <jimjjewett at gmail.com> wrote:
> On 5/1/07, Guido van Rossum <guido at python.org> wrote:
> > But your presumption that the map is already evil makes it irrelevant
> > whether the format is safe or not. Having the evil map is the problem,
> > not passing it to the format operation.
> Using a map was probably misleading.  Let me rephrase:
> While the literal string itself is safe, the format function is only
> as safe as the objects being formatted.  The example below gets
> person.name; if the person object itself is malicious, then even this
> attribute access could run arbitrary code.
>      "My name is {0.name}".format(person)
> -jJ

There is a (perhaps misguided) consensus that the format() operation
ought to have the property that a programmer can write a program which
will not have an issue with potentially hostile strings.  (Personally,
I view security as an open-ended problem, and don't deal with hostile
strings without a LOT of massaging.)

It is, and will continue to be the case, that the programmer can
EASILY write code that would do something bad with a given format
string, and yet not do something bad with another format string.  This
is true even with the percent operator and a dictionary (which might
be subclassed to do something evil on a lookup operator).

All the format() operation can do to help in this instance is a few
minor restriction.  Don't allow calls, don't allow lookups of
attributes with leading underscores.  This makes it relatively easy to
write "format-safe" objects.  Does it make it impossible to write a
"format-unsafe" object?  No, and that was never the intention.


More information about the Python-3000 mailing list