RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://mail.python.org/pipermail/python-dev/2002-January/019482.html below:

[Python-Dev] PEP_215_ (string interpolation) alternative EvalDict

[Python-Dev] PEP_215_ (string interpolation) alternative EvalDictJason Orendorff jason@jorendorff.com
Mon, 14 Jan 2002 21:01:24 -0600

Previous message: [Python-Dev] PEP_215_ (string interpolation) alternative EvalDict
Next message: [Python-Dev] PEP_215_ (string interpolation) alternative EvalDict
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Steven Majewski wrote:
> On Mon, 14 Jan 2002, Jason Orendorff wrote:
> 
> > > But just in case I'm seeing it all wrong: could you explain
> > > to me how PEP 215 *doesn't* have the potential of introducing
> > > a security hole ?
> >
> > Gladly.
> >
> > Every $-string can be converted to equivalent code that uses only:
> >
> >   a)  whatever code the programmer explicitly typed
> >       in the $-string;
> >   b)  str() or unicode(); and
> >   c)  the + operator applied to strings.
> 
> But the examples in PEP 215 don't follow those restrictions.

I dunno, it looks like they do to me.

$'a = $a, b = $b'
    ---> ('a = ' + str(a) + ', b = ' + str(b))
$u'uni${a}ode'
    ---> (u'uni' + unicode(a) + u'ode')
$'\$a'
    ---> ('\\' + str(a))
$r'\$a'
    ---> ('\\' + str(a))
$'$$$a.$b'
    ---> ('$' + str(a) + '.' + str(b))
$'a + b = ${a + b}'
    ---> ('a + b = ' + str(a + b))
$'References to $a: $sys.getrefcount(a)'
    ---> ('References to ' + str(a) + ': ' + str(sys.getrefcount(a)))
$"sys = $sys, sys = $sys.modules['sys']"
    ---> ('sys = ' + str(sys) + ', sys = ' + str(sys.modules['sys']))
$'BDFL = $sys.copyright.split()[4].upper()'
    ---> ('BDFL = ' + str(sys.copyright.split()[4].upper()))

In every case, the equivalent uses
  a)  some bits of code that the programmer explicitly typed
      in the $-string;
  b)  str() or unicode();
  c)  and the + operator (to join the resulting strings).

I guess you're thinking "but those bits of code are invoking other
functions that aren't in your list".  My point is, the equivalent
print statement, or % expression (the existing %, not your
proposed %) does the exact same thing.

  print $'here we go: $y maps to $x[y]'
  print 'here we go: %s maps to %s' % (y, x[y])
  print 'here we go:', y, 'maps to', x[y]
  print 'here we go: ' + str(y) + ' maps to ' + str(x[y])

Is one of these less secure than the others somehow?

There is no new security hole here.

## Jason Orendorff    http://www.jorendorff.com/

Previous message: [Python-Dev] PEP_215_ (string interpolation) alternative EvalDict
Next message: [Python-Dev] PEP_215_ (string interpolation) alternative EvalDict
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4