What is the motivation for "safedict"? I can imagine two uses. One
seems like it could lead to some kind of security problem.
The "harmless" (?) use would be in debugging, so that the program would
continue when a key was missing, but the programmer could see after the
fact what that key was.
The harmful case would be one where the string is substituted in several
stages. Just like % substitutions, $-substitutions are not safe for
repeated expansion.
Here's an example:
def something(user_controlled_string):
mypassword = "drowssap"
bar = "1/8 x 1 inch aluminum bar"
s = dstring("${foo} is {$bar}")
s = s % safedict({'foo': user_controlled_string})
s = s % nsdict()
print s
The malicious user supplies user_controlled_string:
http://python.example.com/something?user_controlled_string=%24mypassword
and gets back
drowssap is 1/8 x 1 inch aluminum bar
Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.python.org/pipermail/python-dev/attachments/20040623/24763d81/attachment.bin
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4