[Python-Dev] PEP 215 does not introduce security issues

Ka-Ping Yee ping@lfw.org
Mon, 14 Jan 2002 20:46:49 -0600 (CST) 

On Mon, 14 Jan 2002, Neil Schemenauer wrote:
> Amazing what you learn by actually reading the PEP.

May i quote you on that?  :)

Just kidding.  More seriously: there is no security issue introduced
by PEP 215.  I saw the concerns being raised in the previous e-mail
messages on this topic, but every time i was about to compose a
reply, i found that Jason Orendorff had already provided exactly
the explanation i was about to give, or better.

So, thank you, Jason. :)

In short: PEP 215 suggests a syntactic transformation that turns

    $'the $quick brown $fox()'

into the fully equivalent

    'the %s brown %s' % (quick, fox())

The '$' prefix only applies to literals, and cannot be used as
an operator in front of other expressions or variables.  This
issue is pointed out specifically in the PEP:

     '$' works like an operator and could be implemented as an
     operator, but that prevents the compile-time optimization
     and presents security issues.  So, it is only allowed as a
     string prefix.

Therefore, this transformation executes *only* code that was
literally present in the original program.  (An example of this
transformation is given at the end of PEP 215 in the
"Implementation" section.)

(By the way, i myself am not yet fully convinced that a string
interpolation feature is something that Python desperately needs.
I do see some considerable potential for good, and so the purpose
of PEP 215 was to put a concrete and plausible proposal on the
table for discussion.  Given that proposal, which i believe to be
about as good as one could reasonably expect, we can hope to save
ourselves the expense of re-arguing the same issues repeatedly,
and make an informed decision about whether to add the feature.

Among the possible drawbacks/complaints i see are: more work for
automated source code tools, tougher editor syntax highlighting,
too many messy string prefix characters, and the addition of yet
one more Python feature to teach and document.  Security, however,
is not among them.)


-- ?!ng