The Case Against Python 3
Chris Angelico
rosuav at gmail.com
Sat Nov 26 19:25:06 EST 2016
On Sun, Nov 27, 2016 at 11:13 AM, Steve D'Aprano
<steve+python at pearwood.info> wrote:
> So-called f-strings haven't even hit the already been implicated in a
> code-injection vulnerability:
>
> http://bugs.python.org/issue28563
>
> I feel kind of vindicated here, because when so-called f-strings were first
> proposed I asked about the security implication of another way of
> evaluating arbitrary expressions, and I was told that there were no
> security implications. Technically that might be true in the sense that
> f-strings don't do anything that wasn't already possible, but as the above
> bug shows, they can make exploiting code injection trivially easy in cases
> where they were previously diabolically hard.
Given that the exploit exists in 2.7, I would say f-strings didn't
create this, eval did. The problem is that you absolutely CANNOT
"sanitize" something before giving it to eval. An f-string slips past
the sanitizer, but so do other things.
ChrisA
More information about the Python-list
mailing list