[Python-3000] Addition to PEP 3101 (original) (raw)

Guido van Rossum guido at python.org
Tue May 1 21:11:31 CEST 2007

On 5/1/07, Jim Jewett <jimjjewett at gmail.com> wrote:

On 5/1/07, Guido van Rossum <guido at python.org> wrote: > On 5/1/07, Jim Jewett <jimjjewett at gmail.com> wrote:

> > There are some things you can safely do with even arbitrary objects -- > > such as appending them to a list. > > By mentioning security as a reason to restrict the format, it suggests > > that this is another safe context. It isn't. > But your presumption that the map is already evil makes it irrelevant > whether the format is safe or not. Having the evil map is the problem, > not passing it to the format operation. Using a map was probably misleading. Let me rephrase: While the literal string itself is safe, the format function is only as safe as the objects being formatted. The example below gets person.name; if the person object itself is malicious, then even this attribute access could run arbitrary code. "My name is {0.name}".format(person)

And my point is that the security concerns here are not about malicious arguments to the format() method; that's not part of the threat model. If you have a person object in your program you can't trust, you have a problem whether or not you use the format method.

The threat we're concerned here (as Patrick explained in his response) is format strings provided by translators or non-root webmasters or (less likely) end users. Translation is probably the main use case; another use case is exemplified by mailman, which gives list owners the means to edit list-specific html templates which are used as format strings. We want to prevent those folks from (accidentally or intentionally) crashing the web server or elevating their privileges.

-- --Guido van Rossum (home page: http://www.python.org/~guido/)

More information about the Python-3000 mailing list