[Python-ideas] String interpolation for all literal strings
Wes Turner
wes.turner at gmail.com
Fri Aug 7 00:58:15 CEST 2015
On Thu, Aug 6, 2015 at 5:24 PM, Eric V. Smith <eric at trueblade.com> wrote:
> On 8/6/2015 6:15 PM, Wes Turner wrote:
> >
> >
> > On Thu, Aug 6, 2015 at 2:44 PM, Eric V. Smith <eric at trueblade.com
> > <mailto:eric at trueblade.com>> wrote:
> >
> > On 08/06/2015 03:02 PM, Wes Turner wrote:
> > >
> > >
> > > On Wed, Aug 5, 2015 at 8:58 PM, Terry Reedy <tjreedy at udel.edu
> <mailto:tjreedy at udel.edu>
> > > <mailto:tjreedy at udel.edu <mailto:tjreedy at udel.edu>>> wrote:
> > >
> > > On 8/5/2015 3:34 PM, Yury Selivanov wrote:
> > >
> > > '\{..}' feels unbalanced and weird.
> > >
> > >
> > > Escape both. The closing } is also treated specially, and not
> > > inserted into the string. The compiler scans linearly from
> left to
> > > right, but human eyes are not so constrained.
> > >
> > > s = "abc\{kjljid some long expression jk78738}def"
> > >
> > > versus
> > >
> > > s = "abc\{kjljid some long expression jk78738\}def"
> > >
> > > and how about
> > >
> > > s = "abc\{kjljid some {long} expression jk78738\}def"
> > >
> > >
> > > +1: escape \{both\}.
> > >
> > > Use cases where this is (as dangerous as other string interpolation
> > > methods):
> > >
> > > * Shell commands that should be shlex-parsed/quoted
> > > * (inappropriately, programmatically) writing
> > > code with manually-added quotes ' and doublequotes "
> > > * XML,HTML,CSS,SQL, textual query language injection
> > > * Convenient, but dangerous and IMHO much better handled
> > > by e.g. MarkupSafe, a DOM builder, a query ORM layer
> > >
> > > Docs / Utils:
> > >
> > > * [ ] ENH: AST scanner for these (before i do __futre__ import)
> > > * [ ] DOC: About string interpolation, in general
> >
> > I don't understand what you're trying to say.
> >
> > os.system("cp \{cmd}")
> >
> > is no better or worse than:
> >
> > os.system("cp " + cmd)
> >
> >
> > All wrong (without appropriate escaping):
> >
> > os.system("cp thisinthemiddleofmy\{cmd}.tar")
> > os.system("cp thisinthemiddleofmy\{cmd\}.tar")
> > os.system("cp " + cmd)
> > os.exec*
> > os.spawn*
>
> Not if you control cmd. I'm not sure of your point. As I said, there are
> opportunities for injection that exist before the interpolation proposals.
>
> > Okay:
> >
> > subprocess.call(('cp', 'thisinthemiddleofmy\{cmd\}.tar')) #
> > shell=True=Dangerous
>
> I know that. This proposal does not change any of this. Is any of this
> discussion of injections relevant to the interpolated string proposal?
>
This discussion of is directly relevant to static and dynamic analysis
"scanners" for e.g. CWE-89, CWE-78
https://cwe.mitre.org/data/definitions/78.html#Relationships
It's just another syntax but there are downstream changes to tooling.
- [ ] Manual review
>
> > sarge.run('cp thisinthemiddleofmy{0!s}.tar', cmd)
>
> Never heard of sarge.
>
Sarge handles threading, shell escaping, and | pipes (even w/ Windows) on
top of subprocess. Something similar in the stdlib someday #ideas would be
great
[and would solve for the 'how do i teach this person to write a shell
script python module to be called by a salt module?' use case].
>
> Eric.
>
> >
> > Yes, there are lots of opportunities in the world for injection
> attacks.
> > This proposal doesn't change that. I don't see how escaping the
> final }
> > changes anything.
> >
> > Eric.
> >
> >
> > _______________________________________________
> > Python-ideas mailing list
> > Python-ideas at python.org <mailto:Python-ideas at python.org>
> > https://mail.python.org/mailman/listinfo/python-ideas
> > Code of Conduct: http://python.org/psf/codeofconduct/
> >
> >
> >
> >
> > _______________________________________________
> > Python-ideas mailing list
> > Python-ideas at python.org
> > https://mail.python.org/mailman/listinfo/python-ideas
> > Code of Conduct: http://python.org/psf/codeofconduct/
> >
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150806/c39d0629/attachment-0001.html>
More information about the Python-ideas
mailing list