[Python-Dev] Critique of PEP 501 (General purpose string interpolation) (original) (raw)
Guido van Rossum guido at python.org
Sat Sep 5 05:04:28 CEST 2015
- Previous message (by thread): [Python-Dev] PEP 501 Shell Command Examples
- Next message (by thread): [Python-Dev] Critique of PEP 501 (General purpose string interpolation)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I think it's too much effort for too little gain.
The motivation feels very weak; surely writing
os.system("echo " + message_from_user)
is just as easy (as is the %s spelling), so the security issue can hardly be blamed on PEP 498.
I also don't think that the current way to address such security issues is a big deal:
The subprocess module is complex for other reasons, and a simpler wrapper could easily be made;
Database wrappers have forever included their own solution for safely quoting query parameters, and people who still don't use that are not likely to care about i-strings either.
Logging: again, it's hard to beat the existing solution, which mostly comes down to using %r instead of %s for any user-supplied or otherwise unverified data.
HTML quoting is an art and I'm skeptical that the proposal will even work for that use case.
-- --Guido van Rossum (python.org/~guido) -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20150904/63dc2948/attachment.html>
- Previous message (by thread): [Python-Dev] PEP 501 Shell Command Examples
- Next message (by thread): [Python-Dev] Critique of PEP 501 (General purpose string interpolation)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]