RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://mail.python.org/pipermail/python-dev/2002-January/019480.html below:

[Python-Dev] PEP 215 does not introduce security issues

[Python-Dev] PEP 215 does not introduce security issuesKa-Ping Yee ping@lfw.org
Mon, 14 Jan 2002 20:46:49 -0600 (CST)

Previous message: [Python-Dev] PEP_215_ (string interpolation) alternative EvalDict
Next message: [Python-Dev] PEP 215 does not introduce security issues
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 14 Jan 2002, Neil Schemenauer wrote:
> Amazing what you learn by actually reading the PEP.

May i quote you on that?  :)

Just kidding.  More seriously: there is no security issue introduced
by PEP 215.  I saw the concerns being raised in the previous e-mail
messages on this topic, but every time i was about to compose a
reply, i found that Jason Orendorff had already provided exactly
the explanation i was about to give, or better.

So, thank you, Jason. :)

In short: PEP 215 suggests a syntactic transformation that turns

    $'the $quick brown $fox()'

into the fully equivalent

    'the %s brown %s' % (quick, fox())

The '$' prefix only applies to literals, and cannot be used as
an operator in front of other expressions or variables.  This
issue is pointed out specifically in the PEP:

     '$' works like an operator and could be implemented as an
     operator, but that prevents the compile-time optimization
     and presents security issues.  So, it is only allowed as a
     string prefix.

Therefore, this transformation executes *only* code that was
literally present in the original program.  (An example of this
transformation is given at the end of PEP 215 in the
"Implementation" section.)

(By the way, i myself am not yet fully convinced that a string
interpolation feature is something that Python desperately needs.
I do see some considerable potential for good, and so the purpose
of PEP 215 was to put a concrete and plausible proposal on the
table for discussion.  Given that proposal, which i believe to be
about as good as one could reasonably expect, we can hope to save
ourselves the expense of re-arguing the same issues repeatedly,
and make an informed decision about whether to add the feature.

Among the possible drawbacks/complaints i see are: more work for
automated source code tools, tougher editor syntax highlighting,
too many messy string prefix characters, and the addition of yet
one more Python feature to teach and document.  Security, however,
is not among them.)


-- ?!ng

Previous message: [Python-Dev] PEP_215_ (string interpolation) alternative EvalDict
Next message: [Python-Dev] PEP 215 does not introduce security issues
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4