[Python-Dev] PEP_215_ (string interpolation) alternative EvalDict

Steven Majewski sdm7g@Virginia.EDU
Mon, 14 Jan 2002 18:19:21 -0500 (EST)


On Mon, 14 Jan 2002, Jason Orendorff wrote:

> > But if you're going to allow interpolation of the results of arbitrary
> > function into a string, it's going to be a security problem whether
> > or not you use 'eval' to do it. My code hides the eval in the object's
> > python code. u" strings would hide the eval in the C code. How is one
> > more or less secure than the other.
>
> There is no security issue with PEP 215.
>
> $"$a and $b make $c"   <==>  ("%s and %s make %s" % (a, b, c))
>
> These two are completely equivalent under PEP 215, and therefore
> equally secure.

Your right. I'm confusing PEP 215 with the discussion on PEP 215,
where that feature was requested.

However, if you allow array and member access as well, which Paul
suggests, then you open the security problem back up unless you
do some code analysis (as he also suggests) to make sure that
[index] or .member doesn't perform a hidden function call
( A virus infected __getitem__ for example. )

-- Steve