[Python-Dev] Arbitrary non-identifier string keys when using **kwargs

Chris Jerdonek chris.jerdonek at gmail.com
Wed Oct 10 02:41:32 EDT 2018

On Tue, Oct 9, 2018 at 8:55 PM Guido van Rossum <guido at python.org> wrote:
> On Tue, Oct 9, 2018 at 7:49 PM Chris Jerdonek <chris.jerdonek at gmail.com> wrote:
>> On Tue, Oct 9, 2018 at 7:13 PM Benjamin Peterson <benjamin at python.org> wrote:
>> > Can anyone think of a situation where it would be advantageous for an implementation to reject non-identifier string kwargs? I can't.
>> One possibility is that it could foreclose certain security bugs from
>> happening. For example, if someone has an API that accepts **kwargs,
>> they might have the mistaken assumption that the keys are identifiers
>> without special characters like ";" etc, and so they could make the
>> mistake of thinking they don't need to escape / sanitize them.
> Hm, that's not an entirely unreasonable concern. How would an attacker get such keys *into* the dict?

I was just thinking json. It could be a config-file type situation, or
a web API that accepts json.

For example, there are JSON-RPC implementations in Python:
that translate json dicts directly into **kwargs:

On the server side, the application could be doing something like
assuming that the kwargs are e.g. column names paired with values to
construct a string in SQL or in some other language or format.


> One possible scenario would be something that parses a traditional web query string into a dict, passes it down through **kwds, and then turns it back into another query string without proper quoting. But the most common (and easiest) way to turn a dict into a query string is calling urlencode(), which quotes unsafe characters.
> I think we needn't rush this (and when in doubt, status quo wins, esp. when there's no BDFL :-).
> --
> --Guido van Rossum (python.org/~guido)

More information about the Python-Dev mailing list