[Python-ideas] String interpolation for all literal strings

Wes Turner wes.turner at gmail.com
Fri Aug 7 00:15:49 CEST 2015 

On Thu, Aug 6, 2015 at 2:44 PM, Eric V. Smith <eric at trueblade.com> wrote:

> On 08/06/2015 03:02 PM, Wes Turner wrote:
> >
> >
> > On Wed, Aug 5, 2015 at 8:58 PM, Terry Reedy <tjreedy at udel.edu
> > <mailto:tjreedy at udel.edu>> wrote:
> >
> >     On 8/5/2015 3:34 PM, Yury Selivanov wrote:
> >
> >         '\{..}' feels unbalanced and weird.
> >
> >
> >     Escape both.  The closing } is also treated specially, and not
> >     inserted into the string.  The compiler scans linearly from left to
> >     right, but human eyes are not so constrained.
> >
> >     s = "abc\{kjljid some long expression jk78738}def"
> >
> >     versus
> >
> >     s = "abc\{kjljid some long expression jk78738\}def"
> >
> >     and how about
> >
> >     s = "abc\{kjljid some {long} expression jk78738\}def"
> >
> >
> > +1: escape \{both\}.
> >
> > Use cases where this is (as dangerous as other string interpolation
> > methods):
> >
> > * Shell commands that should be shlex-parsed/quoted
> > * (inappropriately, programmatically) writing
> >    code with manually-added quotes ' and doublequotes "
> > * XML,HTML,CSS,SQL, textual query language injection
> > * Convenient, but dangerous and IMHO much better handled
> >    by e.g. MarkupSafe, a DOM builder, a query ORM layer
> >
> > Docs / Utils:
> >
> > * [ ] ENH: AST scanner for these (before i do __futre__ import)
> > * [ ] DOC: About string interpolation, in general
>
> I don't understand what you're trying to say.
>
> os.system("cp \{cmd}")
>
> is no better or worse than:
>
> os.system("cp " + cmd)
>

All wrong (without appropriate escaping):

    os.system("cp thisinthemiddleofmy\{cmd}.tar")
    os.system("cp thisinthemiddleofmy\{cmd\}.tar")
    os.system("cp " + cmd)
    os.exec*
    os.spawn*

Okay:

    subprocess.call(('cp', 'thisinthemiddleofmy\{cmd\}.tar')) #
shell=True=Dangerous
    sarge.run('cp thisinthemiddleofmy{0!s}.tar', cmd)



>
> Yes, there are lots of opportunities in the world for injection attacks.
> This proposal doesn't change that. I don't see how escaping the final }
> changes anything.
>
> Eric.
>
>
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150806/73072de0/attachment.html>

More information about the Python-ideas mailing list