[Python-ideas] [Python-Dev] PEP-498: Literal String Formatting
Wes Turner
wes.turner at gmail.com
Tue Aug 11 21:35:46 CEST 2015
On Tue, Aug 11, 2015 at 2:25 PM, Joonas Liik <liik.joonas at gmail.com> wrote:
> I would rather think of this as an opportunity to help avoid injection
> vectors.
>
you get an "F" grade/letter/mark every time you build an f-string
without defining what the user-supplied input and destination outputs
could/would be.
>
> if there was a separate.. . interpolation provider ..
> then something like
>
> os.system('dosomething {a} {b} {c}'.format(...))
>
> could be written as ( !cmd here being a special type of f-string that does
> command line escaping, borrowing syntax from another thread a few days
> ago..)
>
> os.sytem(!cmd'dosomething {a} {b} {c}')
>
sarge.run('do something {0} {1} {2}', a, b, c) is currently supported
(and could/should be stdlib IMHO)
https://sarge.readthedocs.org/en/latest/overview.html#why-not-just-use-subprocess
.
* (again, sorry) this adds ~subprocess compat to sarge:
https://bitbucket.org/vinay.sajip/sarge/pull-requests/1/enh-add-call-check_call-check_output
("ENH: Add call, check_call, check_output, CalledProcessError,
expect_returncode")
>
> This is both shorter and more resilient to injections.
> Essentially it feels like you annotate a string as "this will be executed
> on the command line" and the interpolation adapts.
>
> this would make doing the right thing the same as doing the easy thing and
> this would be good overall, no?
> I don't know about you, but i dont know by heart how to escape arbitrary
> user input and deal with all of the corner cases.
>
So, IPython/Jupyter understands _repr_html_ (_repr_*_) methods,
IDK why we couldn't have e.g. _repr_shell_path_, _repr_shell_cmdarg_,
_repr_sql_sqlite_reserved_keywords_.
Representing things for an output format which is expressed as a string
but has control characters
in order to separate data and code.
>
> yes, you can do this more safely with Popen.. but that is quite a bit more
> effort.
> also often times there is no such alternative or it is very unweildy (sql
> land this happens more often)
>
POSIX exec accepts a tuple (and does not parse ';' or '--').
>
>
>
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150811/f963df7b/attachment-0001.html>
More information about the Python-ideas
mailing list