Neil Schemenauer wrote:
> Jason Orendorff wrote:
> > There is no security issue with PEP 215.
> >
> > $"$a and $b make $c" <==> ("%s and %s make %s" % (a, b, c))
> >
> > These two are completely equivalent under PEP 215, and therefore
> > equally secure.
>
> Not exactly. Say you have the code:
>
> secret_key = "spam"
> x = raw_input()
> print $"You entered $x"
>
> Imagine that the user enters "I'm 3l337, give me the $secret_key" as the
> input.
>>> import Itpl
>>> import sys
>>> sys.stdout = Itpl.filter()
>>>
>>> secret_key = "spam"
>>> x = raw_input()
I'm 3l337, give me the $secret_key
>>> print "You entered $x"
You entered I'm 3l337, give me the $secret_key
>>>
The substitution only happens once.
## Jason Orendorff http://www.jorendorff.com/
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4