[Python-3000] Addition to PEP 3101

[Guido van Rossum]

On 5/1/07, Jim Jewett <jimjjewett at gmail.com> wrote:
> On 5/1/07, Guido van Rossum <guido at python.org> wrote:
> > On 5/1/07, Jim Jewett <jimjjewett at gmail.com> wrote:
>
> > > There are some things you can safely do with even arbitrary objects --
> > > such as appending them to a list.
>
> > > By mentioning security as a reason to restrict the format, it suggests
> > > that this is another safe context.  It isn't.
>
> > But your presumption that the map is already evil makes it irrelevant
> > whether the format is safe or not. Having the evil map is the problem,
> > not passing it to the format operation.
>
> Using a map was probably misleading.  Let me rephrase:
>
> While the literal string itself is safe, the format function is only
> as safe as the objects being formatted.  The example below gets
> person.name; if the person object itself is malicious, then even this
> attribute access could run arbitrary code.
>
>      "My name is {0.name}".format(person)

And my point is that the security concerns here are not about
malicious arguments to the format() method; that's not part of the
threat model. If you have a person object in your program you can't
trust, you have a problem whether or not you use the format method.

 The threat we're concerned here (as Patrick explained in his
response) is format strings provided by translators or non-root
webmasters or (less likely) end users. Translation is probably the
main use case; another use case is exemplified by mailman, which gives
list owners the means to edit list-specific html templates which are
used as format strings. We want to prevent those folks from
(accidentally or intentionally) crashing the web server or elevating
their privileges.

-- 
--Guido van Rossum (home page: http://www.python.org/~guido/)