[Python-ideas] String interpolation for all literal strings

Fri Aug 7 00:24:31 CEST 2015

On 8/6/2015 6:15 PM, Wes Turner wrote:
> 
> 
> On Thu, Aug 6, 2015 at 2:44 PM, Eric V. Smith <eric at trueblade.com
> <mailto:eric at trueblade.com>> wrote:
> 
>     On 08/06/2015 03:02 PM, Wes Turner wrote:
>     >
>     >
>     > On Wed, Aug 5, 2015 at 8:58 PM, Terry Reedy <tjreedy at udel.edu <mailto:tjreedy at udel.edu>
>     > <mailto:tjreedy at udel.edu <mailto:tjreedy at udel.edu>>> wrote:
>     >
>     >     On 8/5/2015 3:34 PM, Yury Selivanov wrote:
>     >
>     >         '\{..}' feels unbalanced and weird.
>     >
>     >
>     >     Escape both.  The closing } is also treated specially, and not
>     >     inserted into the string.  The compiler scans linearly from left to
>     >     right, but human eyes are not so constrained.
>     >
>     >     s = "abc\{kjljid some long expression jk78738}def"
>     >
>     >     versus
>     >
>     >     s = "abc\{kjljid some long expression jk78738\}def"
>     >
>     >     and how about
>     >
>     >     s = "abc\{kjljid some {long} expression jk78738\}def"
>     >
>     >
>     > +1: escape \{both\}.
>     >
>     > Use cases where this is (as dangerous as other string interpolation
>     > methods):
>     >
>     > * Shell commands that should be shlex-parsed/quoted
>     > * (inappropriately, programmatically) writing
>     >    code with manually-added quotes ' and doublequotes "
>     > * XML,HTML,CSS,SQL, textual query language injection
>     > * Convenient, but dangerous and IMHO much better handled
>     >    by e.g. MarkupSafe, a DOM builder, a query ORM layer
>     >
>     > Docs / Utils:
>     >
>     > * [ ] ENH: AST scanner for these (before i do __futre__ import)
>     > * [ ] DOC: About string interpolation, in general
> 
>     I don't understand what you're trying to say.
> 
>     os.system("cp \{cmd}")
> 
>     is no better or worse than:
> 
>     os.system("cp " + cmd)
> 
> 
> All wrong (without appropriate escaping):
> 
>     os.system("cp thisinthemiddleofmy\{cmd}.tar")
>     os.system("cp thisinthemiddleofmy\{cmd\}.tar")
>     os.system("cp " + cmd)
>     os.exec*
>     os.spawn*

Not if you control cmd. I'm not sure of your point. As I said, there are
opportunities for injection that exist before the interpolation proposals.

> Okay:
> 
>     subprocess.call(('cp', 'thisinthemiddleofmy\{cmd\}.tar')) #
> shell=True=Dangerous

I know that. This proposal does not change any of this. Is any of this
discussion of injections relevant to the interpolated string proposal?

>     sarge.run('cp thisinthemiddleofmy{0!s}.tar', cmd)

Never heard of sarge.

Eric.

> 
>     Yes, there are lots of opportunities in the world for injection attacks.
>     This proposal doesn't change that. I don't see how escaping the final }
>     changes anything.
> 
>     Eric.
> 
> 
>     _______________________________________________
>     Python-ideas mailing list
>     Python-ideas at python.org <mailto:Python-ideas at python.org>
>     https://mail.python.org/mailman/listinfo/python-ideas
>     Code of Conduct: http://python.org/psf/codeofconduct/
> 
> 
> 
> 
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
> 