[Python-ideas] [Python-Dev] PEP-498: Literal String Formatting

Wes Turner wes.turner at gmail.com
Tue Aug 11 21:03:40 CEST 2015 

On Tue, Aug 11, 2015 at 1:22 PM, Wes Turner <wes.turner at gmail.com> wrote:

>
>
> On Tue, Aug 11, 2015 at 12:52 PM, Wes Turner <wes.turner at gmail.com> wrote:
>
>> ... I'm now -1000 on this.
>>
>> ~"Make it hard to do wrong; or easy to do correctly"
>>
>> ... Here are these, (which should also not be used for porting shell
>> scripts to python):
>> http://jinja.pocoo.org/docs/dev/templates/#expressions
>>
>
> So, again, I am
> -1000 on (both of these PEPs)
> because they are just another way of making it too easy to do the wrong
> thing.
>
> * #1 most prevalent security vulnerability:
> *1**CWE-89 <http://cwe.mitre.org/data/definitions/89.html>: Improper
> Neutralization of Special Elements used in an SQL Command ('SQL Injection')*
>
>    * ORM with parametrization, quoting, escaping and lists of reserved
> words
>      * SQLAlchemy
>
> * #2 most prevalent security vulnerability:
> *2**CWE-78 <http://cwe.mitre.org/data/definitions/78.html>: Improper
> Neutralization of Special Elements used in an OS Command ('OS Command
> Injection')*
>
>    * Command preparation library (which builds a tuple() for exec)
>      * Sarge, subprocess.call(shell=False=0)
>
>
> - [ ] DOC: (Something like this COULD/SHOULD be in the % and str.format
> docs as well)
>

Maybe it would be helpful to think of string concatenation
more in terms of compiling a template for
serializable DOM(html,js,brython)/doctree(docutils,sphinx)/jinja nodes
which have types (Path, CommandOption/Arg, [Tag, Attr])
and appropriate quoting, escaping, encoding, **and translation** rules
according to a given output context.


    # because this is what could just not be:
     [os.system(f'echo "{cmd}") for cmd in cmds]
     os.system(f'echo2 '{cmd}')

What is the target output format for this string concatenation,
most of the time?


>
>>
>> On Tue, Aug 11, 2015 at 12:48 PM, Wes Turner <wes.turner at gmail.com>
>> wrote:
>>
>>>
>>> On Tue, Aug 11, 2015 at 12:08 PM, Nick Coghlan <ncoghlan at gmail.com>
>>> wrote:
>>>
>>>> [off list]
>>>>
>>>> On 12 August 2015 at 01:28, Wes Turner <wes.turner at gmail.com> wrote:
>>>> >
>>>> > On Aug 11, 2015 10:19 AM, "Wes Turner" <wes.turner at gmail.com> wrote:
>>>> >>
>>>> >>
>>>> >> On Aug 11, 2015 10:10 AM, "Alexander Walters" <
>>>> tritium-list at sdamon.com>
>>>> >> wrote:
>>>> >> >
>>>> >> > This may seam like a simplistic solution to i18n, but why not just
>>>> add a
>>>> >> > method to string objects (assuming we implement f-strings) that
>>>> just returns
>>>> >> > the original, unprocessed string.  If the string was not an
>>>> f-string, it
>>>> >> > just returns self.  The gettext module can be modified, I think
>>>> trivially,
>>>> >> > to use the method instead of the string directly.
>>>> >> >
>>>> >> > Is this a horrible idea?
>>>> >
>>>> > - [ ] review all string interpolation (for "injection")
>>>> >   * [ ] review every '%'
>>>> >   * [ ] review every ".format()"
>>>> >   * [ ] review every f-string (AND LOCALS AND GLOBALS)
>>>> >   * every os.system, os.exec*, subprocess.Popen
>>>> >   * every unclosed tag
>>>> >   * every unescaped control character
>>>> >
>>>> > This would create work we don't need.
>>>> >
>>>> > Solution: __str_shell_ escapes, adds slashes, and quotes.
>>>> __str__SQL__ refs
>>>> > a global list of reserved words.
>>>>
>>>> Wes, we're not mind readers - I know you're trying to be concise to
>>>> save people time when reading, but these bullet-point-only posts are
>>>> *harder* to read than if you wrote out a full explanation of what you
>>>> meant. With this cryptic form, we have to try to guess the missing
>>>> pieces, which is slower and less certain than having them already
>>>> written out in the post.
>>>>
>>>
>>> ~"This is another way to make it easier to do the wrong thing; where a
>>> better solution (AND/OR DOCS ON ALL STRING INTERPOLATION) would be less
>>> likely to increase the ocurrence of CWE TOP 25 #1 and #2"
>>>
>>> printf is often dangerous and wrng because things aren't escaped (or
>>> scope is not controlled, or things are mutable)
>>>
>>>
>>> ~"Make it hard to do; or easy to do the right way"
>>>
>>>
>>>>
>>>> Regards,
>>>> Nick.
>>>>
>>>> --
>>>> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150811/71d74927/attachment-0001.html>

More information about the Python-ideas mailing list