[Python-Dev] PEP_215_ (string interpolation) alternative EvalDict
Jason Orendorff
jason@jorendorff.com
Mon, 14 Jan 2002 21:01:24 -0600
Steven Majewski wrote:
> On Mon, 14 Jan 2002, Jason Orendorff wrote:
>
> > > But just in case I'm seeing it all wrong: could you explain
> > > to me how PEP 215 *doesn't* have the potential of introducing
> > > a security hole ?
> >
> > Gladly.
> >
> > Every $-string can be converted to equivalent code that uses only:
> >
> > a) whatever code the programmer explicitly typed
> > in the $-string;
> > b) str() or unicode(); and
> > c) the + operator applied to strings.
>
> But the examples in PEP 215 don't follow those restrictions.
I dunno, it looks like they do to me.
$'a = $a, b = $b'
---> ('a = ' + str(a) + ', b = ' + str(b))
$u'uni${a}ode'
---> (u'uni' + unicode(a) + u'ode')
$'\$a'
---> ('\\' + str(a))
$r'\$a'
---> ('\\' + str(a))
$'$$$a.$b'
---> ('$' + str(a) + '.' + str(b))
$'a + b = ${a + b}'
---> ('a + b = ' + str(a + b))
$'References to $a: $sys.getrefcount(a)'
---> ('References to ' + str(a) + ': ' + str(sys.getrefcount(a)))
$"sys = $sys, sys = $sys.modules['sys']"
---> ('sys = ' + str(sys) + ', sys = ' + str(sys.modules['sys']))
$'BDFL = $sys.copyright.split()[4].upper()'
---> ('BDFL = ' + str(sys.copyright.split()[4].upper()))
In every case, the equivalent uses
a) some bits of code that the programmer explicitly typed
in the $-string;
b) str() or unicode();
c) and the + operator (to join the resulting strings).
I guess you're thinking "but those bits of code are invoking other
functions that aren't in your list". My point is, the equivalent
print statement, or % expression (the existing %, not your
proposed %) does the exact same thing.
print $'here we go: $y maps to $x[y]'
print 'here we go: %s maps to %s' % (y, x[y])
print 'here we go:', y, 'maps to', x[y]
print 'here we go: ' + str(y) + ' maps to ' + str(x[y])
Is one of these less secure than the others somehow?
There is no new security hole here.
## Jason Orendorff http://www.jorendorff.com/