[Python-ideas] [Python-Dev] PEP-498: Literal String Formatting
Eric V. Smith
eric at trueblade.com
Tue Aug 11 20:34:25 CEST 2015
Wes:
Your objection is noted. Thanks.
Eric.
On 08/11/2015 02:22 PM, Wes Turner wrote:
>
>
> On Tue, Aug 11, 2015 at 12:52 PM, Wes Turner <wes.turner at gmail.com
> <mailto:wes.turner at gmail.com>> wrote:
>
> ... I'm now -1000 on this.
>
> ~"Make it hard to do wrong; or easy to do correctly"
>
> ... Here are these, (which should also not be used for porting shell
> scripts to
> python): http://jinja.pocoo.org/docs/dev/templates/#expressions
>
>
> So, again, I am
> -1000 on (both of these PEPs)
> because they are just another way of making it too easy to do the wrong
> thing.
>
> * #1 most prevalent security vulnerability:
> *1* *CWE-89 <http://cwe.mitre.org/data/definitions/89.html>: Improper
> Neutralization of Special Elements used in an SQL Command ('SQL Injection')*
>
>
> * ORM with parametrization, quoting, escaping and lists of reserved
> words
> * SQLAlchemy
>
> * #2 most prevalent security vulnerability:
> *2* *CWE-78 <http://cwe.mitre.org/data/definitions/78.html>: Improper
> Neutralization of Special Elements used in an OS Command ('OS Command
> Injection')*
>
>
> * Command preparation library (which builds a tuple() for exec)
> * Sarge, subprocess.call(shell=False=0)
>
>
> - [ ] DOC: (Something like this COULD/SHOULD be in the % and str.format
> docs as well)
>
>
>
> On Tue, Aug 11, 2015 at 12:48 PM, Wes Turner <wes.turner at gmail.com
> <mailto:wes.turner at gmail.com>> wrote:
>
>
> On Tue, Aug 11, 2015 at 12:08 PM, Nick Coghlan
> <ncoghlan at gmail.com <mailto:ncoghlan at gmail.com>> wrote:
>
> [off list]
>
> On 12 August 2015 at 01:28, Wes Turner <wes.turner at gmail.com
> <mailto:wes.turner at gmail.com>> wrote:
> >
> > On Aug 11, 2015 10:19 AM, "Wes Turner" <wes.turner at gmail.com <mailto:wes.turner at gmail.com>> wrote:
> >>
> >>
> >> On Aug 11, 2015 10:10 AM, "Alexander Walters" <tritium-list at sdamon.com <mailto:tritium-list at sdamon.com>>
> >> wrote:
> >> >
> >> > This may seam like a simplistic solution to i18n, but why not just add a
> >> > method to string objects (assuming we implement f-strings) that just returns
> >> > the original, unprocessed string. If the string was not an f-string, it
> >> > just returns self. The gettext module can be modified, I think trivially,
> >> > to use the method instead of the string directly.
> >> >
> >> > Is this a horrible idea?
> >
> > - [ ] review all string interpolation (for "injection")
> > * [ ] review every '%'
> > * [ ] review every ".format()"
> > * [ ] review every f-string (AND LOCALS AND GLOBALS)
> > * every os.system, os.exec*, subprocess.Popen
> > * every unclosed tag
> > * every unescaped control character
> >
> > This would create work we don't need.
> >
> > Solution: __str_shell_ escapes, adds slashes, and quotes. __str__SQL__ refs
> > a global list of reserved words.
>
> Wes, we're not mind readers - I know you're trying to be
> concise to
> save people time when reading, but these bullet-point-only
> posts are
> *harder* to read than if you wrote out a full explanation of
> what you
> meant. With this cryptic form, we have to try to guess the
> missing
> pieces, which is slower and less certain than having them
> already
> written out in the post.
>
>
> ~"This is another way to make it easier to do the wrong thing;
> where a better solution (AND/OR DOCS ON ALL STRING
> INTERPOLATION) would be less likely to increase the ocurrence of
> CWE TOP 25 #1 and #2"
>
> printf is often dangerous and wrng because things aren't escaped
> (or scope is not controlled, or things are mutable)
>
>
> ~"Make it hard to do; or easy to do the right way"
>
>
>
> Regards,
> Nick.
>
> --
> Nick Coghlan | ncoghlan at gmail.com
> <mailto:ncoghlan at gmail.com> | Brisbane, Australia
>
>
>
>
>
>
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
>
More information about the Python-ideas
mailing list