[Python-Dev] PEP_215_ (string interpolation) alternative EvalDict
Jason Orendorff
jason@jorendorff.com
Mon, 14 Jan 2002 23:33:24 -0600
Steven Majewski wrote:
> On Mon, 14 Jan 2002, Jason Orendorff wrote:
> > Steven Majewski wrote:
> > > On Mon, 14 Jan 2002, Jason Orendorff wrote:
> > > > Would someone please explain to me what is seen as a "possible
> > > > security issue" in PEP 215? Can anyone propose some real-life
> > > > situation where PEP 215 causes a vulnerability, and the
> > > > corresponding % syntax doesn't?
> > >
> > > Do you mean the current '%' or my expanded example ?
> >
> > I mean the current %.
> >
> > Well?
> >
>
> Paul is the one who (rightly) brought up the issue of security
> with respect to double evaluated strings. But in addition, he
> seemed to be saying that you can do more with a compile time
> test than you can with a runtime test. I disagree with that.
>
> I think, for the same semantics, you get the same security
> issues. I think it's very similar to the compile time type
> checking vs. dynamic typing problem. (In fact, I think it
> reduces to the same problem.)
>
> There are clearly some advantages to doing things compile time,
> but you don't get more security without more restriction.
As long as this "security issue" thread dies, I'm happy.
## Jason Orendorff http://www.jorendorff.com/