[Python-Dev] Utopian String Interpolation

Paul Prescod paul@prescod.net
Thu, 17 Jan 2002 12:10:27 -0800


"M.-A. Lemburg" wrote:
> 
>...
> 
> It is. Currently Python strings are just that: immutable strings.
> Now, you suddenly add dynamics to then. 

I don't want to go through this whole thread from the beginning again.
PEP 215 does not add "dynamics" to anything. In fact, PEP 215 is a more
static mechanism than the current idiom. Even if we make PEP 215's
behaviour the default for strings, it is still NOT DYNAMIC.

>... This will cause nightmares
> in terms of security. 

There is a thread called "PEP 215 does not introduce security issues".
Please read it. Everyone involved who initially thought that PEP 215 had
security issues backed down and agreed that it did not. Once again,
whether there is a string prefix or not is irrelevant to this question.
PEP 215's semantics are *not dynamic*.

> ... Note that Python hasn't really had a need
> for Perl's "taint" because of this. I wouldn't want to see that
> change in any way.

I am certainly not a Perl programmer but Python is also attackable
through the sorts of holes that "taint" is intended to avoid.

username = raw_input()
os.system("cp %s.new %s.old" % (username, username))

Perl considers this "dangerous" and so it has taint. It has *nothing* to
do with interpolation syntax.

>...
> Huh ? I bet RedHat and thousands of sysadmins who have switched
> from shell or Perl to Python would have strong objections.

Python has a construct called a "raw string" which is perfect for when
you don't want backslashes treated specially.

 Paul Prescod