[Python-3000] [Python-Dev] Issues with PEP 3101 (string formatting)
Paul Moore
p.f.moore at gmail.com
Sun Jun 24 21:10:43 CEST 2007
On 24/06/07, Brett Cannon <brett at python.org> wrote:
> On 6/20/07, Greg Falcon <veloso at verylowsodium.com> wrote:
> > This sounds exactly right to me. I don't have strong feelings either
> > way about attribute lookups in formatting strings, or the security
> > problems they raise. But while it seems a reasonable stance that
> > user-injected getattr()s may pose a security problem, what seems
> > indefensible is the stance that user-injected getattr()s are okay
> > precisely when the attribute being looked up doesn't start with an
> > underscore.
> >
> > A single underscore prefix is a hint to human readers, not to the
> > language itself, and things should stay that way.
>
> Since Talin said he wanted to see what others had to say, I am going
> to say I agree with this sentiment. I want string formatting to be
> dead-simple. That means either leaving out overly fancy formatting
> abilities and keeping it simple, or make it very intuitive with as few
> special cases as possible.
Again, I agree. I'd prefer to see attribute access stay, but I'm not
too bothered, I'm very strongly against any restrictions based on the
form of name.
Count me as +0 on allowing a.b, and -1 on allowing a.b unless b
contains leading underscores.
Paul.
More information about the Python-3000
mailing list