[Python-ideas] [Python-Dev] PEP-498: Literal String Formatting

Wes Turner wes.turner at gmail.com
Tue Aug 11 21:05:59 CEST 2015


On Tue, Aug 11, 2015 at 1:37 PM, Ryan Gonzalez <rymg19 at gmail.com> wrote:

> Isn't it already like this? It's no harder than:
>
> Popen('%s a.c' % cc, shell=True)
>
> Heck, I used to do that when I started programming (I hadn't yet learned
> about injection stuff).
>
> If someone is uneducated about injection, they *will do it anyway*. The
> introduction of format strings (f-strings sounds like a certain word to
> me...) wouldn't make it any easier, really.
>

Well, exactly. So I/we must grep for shell=True, %, .format(,
.format_globals(**kwargs),
and f" or f'
and update static analysis tools (to essentially re-AST string.Template
with merge(globals, locals, kwargs))


>
> On August 11, 2015 1:22:06 PM CDT, Wes Turner <wes.turner at gmail.com>
> wrote:
>
>>
>>
>> On Tue, Aug 11, 2015 at 12:52 PM, Wes Turner <wes.turner at gmail.com>
>> wrote:
>>
>>> ... I'm now -1000 on this.
>>>
>>> ~"Make it hard to do wrong; or easy to do correctly"
>>>
>>> ... Here are these, (which should also not be used for porting shell
>>> scripts to python):
>>> http://jinja.pocoo.org/docs/dev/templates/#expressions
>>>
>>
>> So, again, I am
>> -1000 on (both of these PEPs)
>> because they are just another way of making it too easy to do the wrong
>> thing.
>>
>> * #1 most prevalent security vulnerability:
>> *1**CWE-89 <http://cwe.mitre.org/data/definitions/89.html>: Improper
>> Neutralization of Special Elements used in an SQL Command ('SQL Injection')*
>>
>>    * ORM with parametrization, quoting, escaping and lists of reserved
>> words
>>      * SQLAlchemy
>>
>> * #2 most prevalent security vulnerability:
>> *2**CWE-78 <http://cwe.mitre.org/data/definitions/78.html>: Improper
>> Neutralization of Special Elements used in an OS Command ('OS Command
>> Injection')*
>>
>>    * Command preparation library (which builds a tuple() for exec)
>>      * Sarge, subprocess.call(shell=False=0)
>>
>>
>> - [ ] DOC: (Something like this COULD/SHOULD be in the % and str.format
>> docs as well)
>>
>>
>>>
>>> On Tue, Aug 11, 2015 at 12:48 PM, Wes Turner <wes.turner at gmail.com>
>>> wrote:
>>>
>>>>
>>>> On Tue, Aug 11, 2015 at 12:08 PM, Nick Coghlan <ncoghlan at gmail.com>
>>>> wrote:
>>>>
>>>>> [off list]
>>>>>
>>>>> On 12 August 2015 at 01:28, Wes Turner <wes.turner at gmail.com> wrote:
>>>>> >
>>>>> > On Aug 11, 2015 10:19 AM, "Wes Turner" <wes.turner at gmail.com> wrote:
>>>>> >>
>>>>> >>
>>>>> >> On Aug 11, 2015 10:10 AM, "Alexander Walters" <
>>>>> tritium-list at sdamon.com>
>>>>> >> wrote:
>>>>> >> >
>>>>> >> > This may seam like a simplistic solution to i18n, but why not
>>>>> just add a
>>>>> >> > method to string objects (assuming we implement f-strings) that
>>>>> just returns
>>>>> >> > the original, unprocessed string.  If the string was not an
>>>>> f-string, it
>>>>> >> > just returns self.  The gettext module can be modified, I think
>>>>> trivially,
>>>>> >> > to use the method instead of the string directly.
>>>>> >> >
>>>>> >> > Is this a horrible idea?
>>>>> >
>>>>> > - [ ] review all string interpolation (for "injection")
>>>>> >   * [ ] review every '%'
>>>>> >   * [ ] review every ".format()"
>>>>> >   * [ ] review every f-string (AND LOCALS AND GLOBALS)
>>>>> >   * every os.system, os.exec*, subprocess.Popen
>>>>> >   * every unclosed tag
>>>>> >   * every unescaped control character
>>>>> >
>>>>> > This would create work we don't need.
>>>>> >
>>>>> > Solution: __str_shell_ escapes, adds slashes, and quotes.
>>>>> __str__SQL__ refs
>>>>> > a global list of reserved words.
>>>>>
>>>>> Wes, we're not mind readers - I know you're trying to be concise to
>>>>> save people time when reading, but these bullet-point-only posts are
>>>>> *harder* to read than if you wrote out a full explanation of what you
>>>>> meant. With this cryptic form, we have to try to guess the missing
>>>>> pieces, which is slower and less certain than having them already
>>>>> written out in the post.
>>>>>
>>>>
>>>> ~"This is another way to make it easier to do the wrong thing; where a
>>>> better solution (AND/OR DOCS ON ALL STRING INTERPOLATION) would be less
>>>> likely to increase the ocurrence of CWE TOP 25 #1 and #2"
>>>>
>>>> printf is often dangerous and wrng because things aren't escaped (or
>>>> scope is not controlled, or things are mutable)
>>>>
>>>>
>>>> ~"Make it hard to do; or easy to do the right way"
>>>>
>>>>
>>>>>
>>>>> Regards,
>>>>> Nick.
>>>>>
>>>>> --
>>>>> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
>>>>>
>>>>
>>>>
>>>
>> ------------------------------
>>
>> Python-ideas mailing list
>> Python-ideas at python.org
>> https://mail.python.org/mailman/listinfo/python-ideas
>> Code of Conduct: http://python.org/psf/codeofconduct/
>>
>>
> --
> Sent from my Nexus 5 with K-9 Mail. Please excuse my brevity.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150811/9e232873/attachment.html>


More information about the Python-ideas mailing list