[Python-3000] Addition to PEP 3101 (original) (raw)

Patrick Maupin pmaupin at gmail.com
Tue May 1 20:52:20 CEST 2007

On 5/1/07, Jim Jewett <jimjjewett at gmail.com> wrote:

On 5/1/07, Guido van Rossum <guido at python.org> wrote: > But your presumption that the map is already evil makes it irrelevant > whether the format is safe or not. Having the evil map is the problem, > not passing it to the format operation.

Using a map was probably misleading. Let me rephrase: While the literal string itself is safe, the format function is only as safe as the objects being formatted. The example below gets person.name; if the person object itself is malicious, then even this attribute access could run arbitrary code. "My name is {0.name}".format(person) -jJ

There is a (perhaps misguided) consensus that the format() operation ought to have the property that a programmer can write a program which will not have an issue with potentially hostile strings. (Personally, I view security as an open-ended problem, and don't deal with hostile strings without a LOT of massaging.)

It is, and will continue to be the case, that the programmer can EASILY write code that would do something bad with a given format string, and yet not do something bad with another format string. This is true even with the percent operator and a dictionary (which might be subclassed to do something evil on a lookup operator).

All the format() operation can do to help in this instance is a few minor restriction. Don't allow calls, don't allow lookups of attributes with leading underscores. This makes it relatively easy to write "format-safe" objects. Does it make it impossible to write a "format-unsafe" object? No, and that was never the intention.

Regards, Pat

More information about the Python-3000 mailing list