[Python-ideas] String interpolation for all literal strings

Wes Turner wes.turner at gmail.com
Fri Aug 7 00:58:15 CEST 2015 

On Thu, Aug 6, 2015 at 5:24 PM, Eric V. Smith <eric at trueblade.com> wrote:

> On 8/6/2015 6:15 PM, Wes Turner wrote:
> >
> >
> > On Thu, Aug 6, 2015 at 2:44 PM, Eric V. Smith <eric at trueblade.com
> > <mailto:eric at trueblade.com>> wrote:
> >
> >     On 08/06/2015 03:02 PM, Wes Turner wrote:
> >     >
> >     >
> >     > On Wed, Aug 5, 2015 at 8:58 PM, Terry Reedy <tjreedy at udel.edu
> <mailto:tjreedy at udel.edu>
> >     > <mailto:tjreedy at udel.edu <mailto:tjreedy at udel.edu>>> wrote:
> >     >
> >     >     On 8/5/2015 3:34 PM, Yury Selivanov wrote:
> >     >
> >     >         '\{..}' feels unbalanced and weird.
> >     >
> >     >
> >     >     Escape both.  The closing } is also treated specially, and not
> >     >     inserted into the string.  The compiler scans linearly from
> left to
> >     >     right, but human eyes are not so constrained.
> >     >
> >     >     s = "abc\{kjljid some long expression jk78738}def"
> >     >
> >     >     versus
> >     >
> >     >     s = "abc\{kjljid some long expression jk78738\}def"
> >     >
> >     >     and how about
> >     >
> >     >     s = "abc\{kjljid some {long} expression jk78738\}def"
> >     >
> >     >
> >     > +1: escape \{both\}.
> >     >
> >     > Use cases where this is (as dangerous as other string interpolation
> >     > methods):
> >     >
> >     > * Shell commands that should be shlex-parsed/quoted
> >     > * (inappropriately, programmatically) writing
> >     >    code with manually-added quotes ' and doublequotes "
> >     > * XML,HTML,CSS,SQL, textual query language injection
> >     > * Convenient, but dangerous and IMHO much better handled
> >     >    by e.g. MarkupSafe, a DOM builder, a query ORM layer
> >     >
> >     > Docs / Utils:
> >     >
> >     > * [ ] ENH: AST scanner for these (before i do __futre__ import)
> >     > * [ ] DOC: About string interpolation, in general
> >
> >     I don't understand what you're trying to say.
> >
> >     os.system("cp \{cmd}")
> >
> >     is no better or worse than:
> >
> >     os.system("cp " + cmd)
> >
> >
> > All wrong (without appropriate escaping):
> >
> >     os.system("cp thisinthemiddleofmy\{cmd}.tar")
> >     os.system("cp thisinthemiddleofmy\{cmd\}.tar")
> >     os.system("cp " + cmd)
> >     os.exec*
> >     os.spawn*
>
> Not if you control cmd. I'm not sure of your point. As I said, there are
> opportunities for injection that exist before the interpolation proposals.
>
> > Okay:
> >
> >     subprocess.call(('cp', 'thisinthemiddleofmy\{cmd\}.tar')) #
> > shell=True=Dangerous
>
> I know that. This proposal does not change any of this. Is any of this
> discussion of injections relevant to the interpolated string proposal?
>

This discussion of is directly relevant to static and dynamic analysis
"scanners" for e.g. CWE-89, CWE-78
https://cwe.mitre.org/data/definitions/78.html#Relationships

It's just another syntax but there are downstream changes to tooling.

- [ ] Manual review



>
> >     sarge.run('cp thisinthemiddleofmy{0!s}.tar', cmd)
>
> Never heard of sarge.
>

Sarge handles threading, shell escaping, and | pipes (even w/ Windows) on
top of subprocess. Something similar in the stdlib someday #ideas would be
great
[and would solve for the 'how do i teach this person to write a shell
script python module to be called by a salt module?' use case].



>
> Eric.
>
> >
> >     Yes, there are lots of opportunities in the world for injection
> attacks.
> >     This proposal doesn't change that. I don't see how escaping the
> final }
> >     changes anything.
> >
> >     Eric.
> >
> >
> >     _______________________________________________
> >     Python-ideas mailing list
> >     Python-ideas at python.org <mailto:Python-ideas at python.org>
> >     https://mail.python.org/mailman/listinfo/python-ideas
> >     Code of Conduct: http://python.org/psf/codeofconduct/
> >
> >
> >
> >
> > _______________________________________________
> > Python-ideas mailing list
> > Python-ideas at python.org
> > https://mail.python.org/mailman/listinfo/python-ideas
> > Code of Conduct: http://python.org/psf/codeofconduct/
> >
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150806/c39d0629/attachment-0001.html>

More information about the Python-ideas mailing list