OT Annoying Habits (Was: when format strings attack)
Carroll, Barry
Barry.Carroll at psc.com
Fri Jan 19 15:20:26 EST 2007
Greetings:
Personally, I don't think top-posting is the most annoying newsgroup
habit. I think it's making a big fuss about minor inconveniences.
One of the nicest things about being human is the amazing flexibility of
our brains. For example, if a block of text isn't arranged in the order
we're used to, we can easily rearrange it mentally and read it anyway.
Oriental and Arabic peoples, for example, do this each time they read
something written in English. It's EASY, once you get used to it!
It took me about 3 seconds to realize that Mr. D'Aprano' Q&A session was
laid out bottom-to-top instead of top-to-bottom. After that, it made
perfect sense. While it was a excellent way to demonstrate his
argument, it failed to prove his point, because, while top-to-bottom may
be the way he reads things, it isn't the way _everyone_ reads things.
So, as far as I'm concerned, post your posts in whatever manner works
for you. If it's in English, I'll figure it out. If not, well, there's
always Babelfish. ;^)
Regards,
Barry
barry.carroll at psc.com
541-302-1107
________________________
We who cut mere stones must always be envisioning cathedrals.
-Quarry worker's creed
> -----Original Message-----
> From: Steven D'Aprano [mailto:steve at REMOVE.THIS.cybersource.com.au]
> Sent: Friday, January 19, 2007 11:30 AM
> To: python-list at python.org
> Subject: Re: when format strings attack
>
> On Fri, 19 Jan 2007 10:43:53 -0800, John Zenger wrote:
>
> > Perhaps it is not as severe a security risk, but pure Python
programs
> > can run into similar problems if they don't check user input for %
> > codes.
>
> Please don't top-post.
>
> A: Because it messes up the order that we read things.
> Q: Why?
> A: Top-posting.
> Q: What is the most annoying newsgroup habit?
>
>
> > Example:
> >
> >>>> k = raw_input("Try to trick me: ")
> > Try to trick me: How about %s this?
> >>>> j = "User %s just entered: " + k
> >>>> print j % "John"
> > Traceback (most recent call last):
> > File "<pyshell#8>", line 1, in ?
> > print j % "John"
> > TypeError: not enough arguments for format string
>
> That's hardly the same sort of vulnerability the article was talking
> about, but it is a potential bug waiting to bite.
>
> In a serious application, you should keep user-inputted strings
separate
> from application strings, and never use user strings unless they've
been
> made safe. See Joel Spolsky's excellent article about one way of doing
> that:
>
> http://www.joelonsoftware.com/articles/Wrong.html
>
>
>
> --
> Steven.
>
More information about the Python-list
mailing list