[Python-3000] Addition to PEP 3101 (original) (raw)

Eric V. Smith eric+python-dev at trueblade.com
Tue May 1 20:54:53 CEST 2007

Jim Jewett wrote:

On 5/1/07, Guido van Rossum <guido at python.org> wrote:

On 5/1/07, Jim Jewett <jimjjewett at gmail.com> wrote:

There are some things you can safely do with even arbitrary objects -- such as appending them to a list. By mentioning security as a reason to restrict the format, it suggests that this is another safe context. It isn't. But your presumption that the map is already evil makes it irrelevant whether the format is safe or not. Having the evil map is the problem, not passing it to the format operation. Using a map was probably misleading. Let me rephrase: While the literal string itself is safe, the format function is only as safe as the objects being formatted. The example below gets person.name; if the person object itself is malicious, then even this attribute access could run arbitrary code. "My name is {0.name}".format(person)

I think the concern is this:

Suppose we have:

class Person: def destroy_children(self): # do something destructive name = 'me'

person = Person()

"My name is {0.name}".format(person) # ok "My name is {0.destroy_children()}".format(person) # ouch

One intent of the PEP is that the strings come from a translation, or are otherwise out of the direct control of the original programmer. So the thought is that attributes of objects being formatted are probably always "safe" to call, while methods might be "unsafe", for some definitions of "safe" and "unsafe".

Whether this justifies the exclusion of calling methods (or callables themselves), I can't say. I can say that calling methods that have parameters would significantly complicate our implementation of PEP 3101. The original message in this thread only has examples of calling methods without parameters, it's not clear to me if that's only intended use.

More information about the Python-3000 mailing list