[Python-3000] Addition to PEP 3101 (original) (raw)

Jim Jewett jimjjewett at gmail.com
Tue May 1 20:20:01 CEST 2007

• Previous message: [Python-3000] Addition to PEP 3101
• Next message: [Python-3000] Addition to PEP 3101
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/1/07, Guido van Rossum <guido at python.org> wrote:

On 5/1/07, Jim Jewett <jimjjewett at gmail.com> wrote:

> Note that while (literal strings used as) format strings are > effectively sandboxed, the formatted objects themselves are not.

> "My name is {0[name]}".format(evilmap)

> would still allow evilmap to run arbitrary code.

And how on earth would that be a security threat?

There are some things you can safely do with even arbitrary objects -- such as appending them to a list.

By mentioning security as a reason to restrict the format, it suggests that this is another safe context. It isn't.

-jJ

• Previous message: [Python-3000] Addition to PEP 3101
• Next message: [Python-3000] Addition to PEP 3101
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-3000 mailing list