[Python-3000] [Python-Dev] Issues with PEP 3101 (string formatting)

[Brett Cannon]

On 6/20/07, Greg Falcon <veloso at verylowsodium.com> wrote:
> On 6/19/07, Chris McDonough <chrism at plope.com> wrote:
> > Given that security is a concern at all, the only truly reasonable
> > way to "limit security issues" is to disallow item and attribute
> > access completely within the string templating expression syntax.  It
> > seems gratuituous to me to encourage string templating expressions
> > with item/attribute access, given that you could do it within the
> > format arguments just as easily in the 99% case, and we've (well...
> > I've) happily been living with that restriction for years now.
> >
> > But if this syntax is preserved, there really should be no *default*
> > restrictions on the traversable names within an expression because
> > this will almost certainly become a hard-to-explain, hard-to-justify
> > bug magnet as it has become in Zope.
>
> This sounds exactly right to me.  I don't have strong feelings either
> way about attribute lookups in formatting strings, or the security
> problems they raise.  But while it seems a reasonable stance that
> user-injected getattr()s may pose a security problem, what seems
> indefensible is the stance that user-injected getattr()s are okay
> precisely when the attribute being looked up doesn't start with an
> underscore.
>
> A single underscore prefix is a hint to human readers, not to the
> language itself, and things should stay that way.

Since Talin said he wanted to see what others had to say, I am going
to say I agree with this sentiment.  I want string formatting to be
dead-simple.  That means either leaving out overly fancy formatting
abilities and keeping it simple, or make it very intuitive with as few
special cases as possible.

-Brett