[Python-3000] Addition to PEP 3101 (original) (raw)

Jim Jewett jimjjewett at gmail.com
Tue May 1 16:31:08 CEST 2007

• Previous message: [Python-3000] Addition to PEP 3101
• Next message: [Python-3000] Addition to PEP 3101
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4/30/07, Talin <talin at acm.org> wrote:

Greg Ewing wrote: > Patrick Maupin wrote:

>> Method calls are deliberately disallowed by the PEP, so that the >> implementation has some hope of being securable.

> If attribute access is allowed, arbitrary code can already > be triggered, so I don't see how this makes a difference > to security.

Not quite. It depends on what you mean by 'arbitrary code'. ...

If I understood that correctly, then

(1) The format string cannot run arbitrary code, but (2) The formatted objects themselves can.

This is probably a feature, since you can pass proxy objects, but it should definately be called out explicitly in the security section (currently just some text in Simple and Compound Names section). Example Text:

Note that while (literal strings used as) format strings are effectively sandboxed, the formatted objects themselves are not.

"My name is {0[name]}".format(evil_map)

would still allow evil_map to run arbitrary code.

-jJ

• Previous message: [Python-3000] Addition to PEP 3101
• Next message: [Python-3000] Addition to PEP 3101
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-3000 mailing list