On Mon, 14 Jan 2002, Jason Orendorff wrote: > Steven Majewski wrote: > > On Mon, 14 Jan 2002, Jason Orendorff wrote: > > > Would someone please explain to me what is seen as a "possible > > > security issue" in PEP 215? Can anyone propose some real-life > > > situation where PEP 215 causes a vulnerability, and the > > > corresponding % syntax doesn't? > > > > Do you mean the current '%' or my expanded example ? > > I mean the current %. > > Well? > Paul is the one who (rightly) brought up the issue of security with respect to double evaluated strings. But in addition, he seemed to be saying that you can do more with a compile time test than you can with a runtime test. I disagree with that. I think, for the same semantics, you get the same security issues. I think it's very similar to the compile time type checking vs. dynamic typing problem. (In fact, I think it reduces to the same problem.) There are clearly some advantages to doing things compile time, but you don't get more security without more restriction. -- Steve
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4