[Python-3000] Addition to PEP 3101

[Eric V. Smith]

Jim Jewett wrote:
> On 5/1/07, Guido van Rossum <guido at python.org> wrote:
>> On 5/1/07, Jim Jewett <jimjjewett at gmail.com> wrote:
> 
>>> There are some things you can safely do with even arbitrary objects --
>>> such as appending them to a list.
> 
>>> By mentioning security as a reason to restrict the format, it suggests
>>> that this is another safe context.  It isn't.
> 
>> But your presumption that the map is already evil makes it irrelevant
>> whether the format is safe or not. Having the evil map is the problem,
>> not passing it to the format operation.
> 
> Using a map was probably misleading.  Let me rephrase:
> 
> While the literal string itself is safe, the format function is only
> as safe as the objects being formatted.  The example below gets
> person.name; if the person object itself is malicious, then even this
> attribute access could run arbitrary code.
> 
>      "My name is {0.name}".format(person)
> 

I think the concern is this:

Suppose we have:

class Person:
     def destroy_children(self):
         # do something destructive
     name = 'me'

person = Person()

"My name is {0.name}".format(person)               # ok
"My name is {0.destroy_children()}".format(person) # ouch

One intent of the PEP is that the strings come from a translation, or 
are otherwise out of the direct control of the original programmer.  So 
the thought is that attributes of objects being formatted are probably 
always "safe" to call, while methods might be "unsafe", for some 
definitions of "safe" and "unsafe".

Whether this justifies the exclusion of calling methods (or callables 
themselves), I can't say.  I can say that calling methods that have 
parameters would significantly complicate our implementation of PEP 
3101.  The original message in this thread only has examples of calling 
methods without parameters, it's not clear to me if that's only intended 
use.