[Python-ideas] Custom string prefixes

[Nick Coghlan]

On 31 May 2013 07:15, "Eric Snow" <ericsnowcurrently at gmail.com> wrote:
>
> On Thu, May 30, 2013 at 2:22 PM, Haoyi Li <haoyi.sg at gmail.com> wrote:
> > The idea was to handle the prefix at either import or compile time (i'm
not
> > actually sure of the distinction, although i'm sure there is one), so it
> > would be fully inlined by the time the code starts executed (over and
over).
>
> Then that is basically the same idea as the one I thought I was
> extrapolating last night.  And I already said there why I think it's
> unnecessary.

Folks, there are several prior discussions on this list regarding AST based
metaprogramming. There *are* valid use cases for letting third party
libraries hook into the compilation system to transform a raw text string
into a different kind of object, with the three biggest examples being nice
subprocess invocations, inline SQL and implicit string interpolation that
only permit literals, thus avoiding most naive string injection
vulnerabilities.

Security is the main gain here, since many security vulnerabilities arise
from developers passing untrusted input to unsafe functions. By providing a
syntax that accepts only raw string literals, we could open up a new avenue
for more secure API design, as literals are just as trusted as any other
piece of source code.

This is *not* an easy problem to solve, but framing an initial exploration
as finding a way to replace the existing string prefix processing is a good
way to ground a proposed solution in practical reality.

Cheers,
Nick.

>
> -eric
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> http://mail.python.org/mailman/listinfo/python-ideas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20130531/1dbdf1da/attachment-0001.html>