[Python-ideas] Another way to avoid clumsy lambdas, while adding new functionality
David Mertz
mertz at gnosis.cx
Wed Mar 5 22:20:59 CET 2014
On Wed, Mar 5, 2014 at 3:43 AM, Steven D'Aprano <steve at pearwood.info> wrote:
> >That is, what's really the point of having
> >
> > a = $(expr) # or `expr`, or `(expr), or c"expr"
> >
> > If it's simply a slightly shorter way of spelling:
> >
> > a = compile(expr, "<string>", "eval")
>
> You can't write it like that. You have to wrap the expression is quotes
> and turn it into a string:
>
> a = compile("expr", "<string>", "eval")
>
True, I misspelled my example. Or maybe my 'expr' implicitly meant
string_expr :-). But the basic point that the literal for a "thunk" is
already essentially available with compile() remains.
> which means you lose syntax highlighting. Perhaps the ability to get
> syntax highlighting is not sufficient to justify this idea.
>
There's no reason you even NEED to lose syntax highlighting. A code editor
could perfectly well have a highlight rule that strings inside compile()
calls get highlighted. Sure, that's a pretty special language mode, but
there's nothing that an editor couldn't do in principle.
> Another disadvantage: the ever-present temptation to pass a
> user-generated string to compile:
>
> a = compile(template % some_string, "<string>", "eval")
>
> If some_string came from an untrusted source, you are now the proud
> owner of a brand new code injection vulnerability. But with syntax, you
> cannot generate a thunk/macro except from code you write yourself. It's
> still code written by you, it's just that evaluation is delayed.
>
The literal hardly saves you from injection attacks. I could write this
too under the proposed idea:
foo = get_string_from_attacker()
a = $(foo)
b = a.eval()
Now one can say "don't do that!" ... but that advice applies just as well
to 'compile(unsafe_string, ...)'
--
Keeping medicines from the bloodstreams of the sick; food
from the bellies of the hungry; books from the hands of the
uneducated; technology from the underdeveloped; and putting
advocates of freedom in prisons. Intellectual property is
to the 21st century what the slave trade was to the 16th.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20140305/d4fd1e42/attachment.html>
More information about the Python-ideas
mailing list