[Python-ideas] [Python-Dev] PEP-498: Literal String Formatting

Wes Turner wes.turner at gmail.com
Tue Aug 11 20:22:06 CEST 2015 

On Tue, Aug 11, 2015 at 12:52 PM, Wes Turner <wes.turner at gmail.com> wrote:

> ... I'm now -1000 on this.
>
> ~"Make it hard to do wrong; or easy to do correctly"
>
> ... Here are these, (which should also not be used for porting shell
> scripts to python): http://jinja.pocoo.org/docs/dev/templates/#expressions
>

So, again, I am
-1000 on (both of these PEPs)
because they are just another way of making it too easy to do the wrong
thing.

* #1 most prevalent security vulnerability:
*1**CWE-89 <http://cwe.mitre.org/data/definitions/89.html>: Improper
Neutralization of Special Elements used in an SQL Command ('SQL Injection')*

   * ORM with parametrization, quoting, escaping and lists of reserved
words
     * SQLAlchemy

* #2 most prevalent security vulnerability:
*2**CWE-78 <http://cwe.mitre.org/data/definitions/78.html>: Improper
Neutralization of Special Elements used in an OS Command ('OS Command
Injection')*

   * Command preparation library (which builds a tuple() for exec)
     * Sarge, subprocess.call(shell=False=0)


- [ ] DOC: (Something like this COULD/SHOULD be in the % and str.format
docs as well)


>
> On Tue, Aug 11, 2015 at 12:48 PM, Wes Turner <wes.turner at gmail.com> wrote:
>
>>
>> On Tue, Aug 11, 2015 at 12:08 PM, Nick Coghlan <ncoghlan at gmail.com>
>> wrote:
>>
>>> [off list]
>>>
>>> On 12 August 2015 at 01:28, Wes Turner <wes.turner at gmail.com> wrote:
>>> >
>>> > On Aug 11, 2015 10:19 AM, "Wes Turner" <wes.turner at gmail.com> wrote:
>>> >>
>>> >>
>>> >> On Aug 11, 2015 10:10 AM, "Alexander Walters" <
>>> tritium-list at sdamon.com>
>>> >> wrote:
>>> >> >
>>> >> > This may seam like a simplistic solution to i18n, but why not just
>>> add a
>>> >> > method to string objects (assuming we implement f-strings) that
>>> just returns
>>> >> > the original, unprocessed string.  If the string was not an
>>> f-string, it
>>> >> > just returns self.  The gettext module can be modified, I think
>>> trivially,
>>> >> > to use the method instead of the string directly.
>>> >> >
>>> >> > Is this a horrible idea?
>>> >
>>> > - [ ] review all string interpolation (for "injection")
>>> >   * [ ] review every '%'
>>> >   * [ ] review every ".format()"
>>> >   * [ ] review every f-string (AND LOCALS AND GLOBALS)
>>> >   * every os.system, os.exec*, subprocess.Popen
>>> >   * every unclosed tag
>>> >   * every unescaped control character
>>> >
>>> > This would create work we don't need.
>>> >
>>> > Solution: __str_shell_ escapes, adds slashes, and quotes. __str__SQL__
>>> refs
>>> > a global list of reserved words.
>>>
>>> Wes, we're not mind readers - I know you're trying to be concise to
>>> save people time when reading, but these bullet-point-only posts are
>>> *harder* to read than if you wrote out a full explanation of what you
>>> meant. With this cryptic form, we have to try to guess the missing
>>> pieces, which is slower and less certain than having them already
>>> written out in the post.
>>>
>>
>> ~"This is another way to make it easier to do the wrong thing; where a
>> better solution (AND/OR DOCS ON ALL STRING INTERPOLATION) would be less
>> likely to increase the ocurrence of CWE TOP 25 #1 and #2"
>>
>> printf is often dangerous and wrng because things aren't escaped (or
>> scope is not controlled, or things are mutable)
>>
>>
>> ~"Make it hard to do; or easy to do the right way"
>>
>>
>>>
>>> Regards,
>>> Nick.
>>>
>>> --
>>> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150811/c90870d5/attachment-0001.html>

More information about the Python-ideas mailing list