[Python-Dev] PEP_215_ (string interpolation) alternative EvalDict
Jason Orendorff
jason@jorendorff.com
Mon, 14 Jan 2002 17:55:37 -0600
Neil Schemenauer wrote:
> Jason Orendorff wrote:
> > There is no security issue with PEP 215.
> >
> > $"$a and $b make $c" <==> ("%s and %s make %s" % (a, b, c))
> >
> > These two are completely equivalent under PEP 215, and therefore
> > equally secure.
>
> Not exactly. Say you have the code:
>
> secret_key = "spam"
> x = raw_input()
> print $"You entered $x"
>
> Imagine that the user enters "I'm 3l337, give me the $secret_key" as the
> input.
>>> import Itpl
>>> import sys
>>> sys.stdout = Itpl.filter()
>>>
>>> secret_key = "spam"
>>> x = raw_input()
I'm 3l337, give me the $secret_key
>>> print "You entered $x"
You entered I'm 3l337, give me the $secret_key
>>>
The substitution only happens once.
## Jason Orendorff http://www.jorendorff.com/