[Python-Dev] Issues with PEP 3101 (string formatting)

Chris McDonough chrism at plope.com
Tue Jun 19 16:24:05 CEST 2007 

Wrt http://www.python.org/dev/peps/pep-3101/

PEP 3101 says Py3K should allow item and attribute access syntax  
within string templating expressions but "to limit potential security  
issues", access to underscore prefixed names within attribute/item  
access expressions will be disallowed.

I am a person who has lived with the aftermath of a framework  
designed to prevent data access by restricting access to underscore- 
prefixed names (Zope 2, ahem), and I've found it's very hard to  
explain and justify.  As a result, I feel that this is a poor default  
policy choice for a framework.

In some cases, underscore names must become part of an object's  
external interface.  Consider a URL with one or more underscore- 
prefixed path segment elements (because prefixing a filename with an  
underscore is a perfectly reasonable thing to do on a filesystem, and  
path elements are often named after file names) fed to a traversal  
algorithm that attempts to resolve each path element into an object  
by calling __getitem__ against the parent found by the last path  
element's traversal result.  Perhaps this is poor design and  
__getitem__ should not be consulted here, but I doubt that highly  
because there's nothing particularly special about calling a method  
named __getitem__ as opposed to some method named "traverse".

The only precedent within Python 2 for this sort of behavior is  
limiting access to variables that begin with __ and which do not end  
with __ to the scope defined by a class and its instances.  I  
personally don't believe this is a very useful feature, but it's  
still only an advisory policy and you can worm around it with enough  
gyrations.

Given that security is a concern at all, the only truly reasonable  
way to "limit security issues" is to disallow item and attribute  
access completely within the string templating expression syntax.  It  
seems gratuituous to me to encourage string templating expressions  
with item/attribute access, given that you could do it within the  
format arguments just as easily in the 99% case, and we've (well...  
I've) happily been living with that restriction for years now.

But if this syntax is preserved, there really should be no *default*  
restrictions on the traversable names within an expression because  
this will almost certainly become a hard-to-explain, hard-to-justify  
bug magnet as it has become in Zope.

- C

More information about the Python-Dev mailing list