[Python-ideas] [Python-Dev] PEP-498: Literal String Formatting

Ryan Gonzalez rymg19 at gmail.com
Tue Aug 11 20:37:10 CEST 2015 

Isn't it already like this? It's no harder than:

Popen('%s a.c' % cc, shell=True)

Heck, I used to do that when I started programming (I hadn't yet learned about injection stuff).

If someone is uneducated about injection, they *will do it anyway*. The introduction of format strings (f-strings sounds like a certain word to me...) wouldn't make it any easier, really.

On August 11, 2015 1:22:06 PM CDT, Wes Turner <wes.turner at gmail.com> wrote:
>On Tue, Aug 11, 2015 at 12:52 PM, Wes Turner <wes.turner at gmail.com>
>wrote:
>
>> ... I'm now -1000 on this.
>>
>> ~"Make it hard to do wrong; or easy to do correctly"
>>
>> ... Here are these, (which should also not be used for porting shell
>> scripts to python):
>http://jinja.pocoo.org/docs/dev/templates/#expressions
>>
>
>So, again, I am
>-1000 on (both of these PEPs)
>because they are just another way of making it too easy to do the wrong
>thing.
>
>* #1 most prevalent security vulnerability:
>*1**CWE-89 <http://cwe.mitre.org/data/definitions/89.html>: Improper
>Neutralization of Special Elements used in an SQL Command ('SQL
>Injection')*
>
>   * ORM with parametrization, quoting, escaping and lists of reserved
>words
>     * SQLAlchemy
>
>* #2 most prevalent security vulnerability:
>*2**CWE-78 <http://cwe.mitre.org/data/definitions/78.html>: Improper
>Neutralization of Special Elements used in an OS Command ('OS Command
>Injection')*
>
>   * Command preparation library (which builds a tuple() for exec)
>     * Sarge, subprocess.call(shell=False=0)
>
>
>- [ ] DOC: (Something like this COULD/SHOULD be in the % and str.format
>docs as well)
>
>
>>
>> On Tue, Aug 11, 2015 at 12:48 PM, Wes Turner <wes.turner at gmail.com>
>wrote:
>>
>>>
>>> On Tue, Aug 11, 2015 at 12:08 PM, Nick Coghlan <ncoghlan at gmail.com>
>>> wrote:
>>>
>>>> [off list]
>>>>
>>>> On 12 August 2015 at 01:28, Wes Turner <wes.turner at gmail.com>
>wrote:
>>>> >
>>>> > On Aug 11, 2015 10:19 AM, "Wes Turner" <wes.turner at gmail.com>
>wrote:
>>>> >>
>>>> >>
>>>> >> On Aug 11, 2015 10:10 AM, "Alexander Walters" <
>>>> tritium-list at sdamon.com>
>>>> >> wrote:
>>>> >> >
>>>> >> > This may seam like a simplistic solution to i18n, but why not
>just
>>>> add a
>>>> >> > method to string objects (assuming we implement f-strings)
>that
>>>> just returns
>>>> >> > the original, unprocessed string.  If the string was not an
>>>> f-string, it
>>>> >> > just returns self.  The gettext module can be modified, I
>think
>>>> trivially,
>>>> >> > to use the method instead of the string directly.
>>>> >> >
>>>> >> > Is this a horrible idea?
>>>> >
>>>> > - [ ] review all string interpolation (for "injection")
>>>> >   * [ ] review every '%'
>>>> >   * [ ] review every ".format()"
>>>> >   * [ ] review every f-string (AND LOCALS AND GLOBALS)
>>>> >   * every os.system, os.exec*, subprocess.Popen
>>>> >   * every unclosed tag
>>>> >   * every unescaped control character
>>>> >
>>>> > This would create work we don't need.
>>>> >
>>>> > Solution: __str_shell_ escapes, adds slashes, and quotes.
>__str__SQL__
>>>> refs
>>>> > a global list of reserved words.
>>>>
>>>> Wes, we're not mind readers - I know you're trying to be concise to
>>>> save people time when reading, but these bullet-point-only posts
>are
>>>> *harder* to read than if you wrote out a full explanation of what
>you
>>>> meant. With this cryptic form, we have to try to guess the missing
>>>> pieces, which is slower and less certain than having them already
>>>> written out in the post.
>>>>
>>>
>>> ~"This is another way to make it easier to do the wrong thing; where
>a
>>> better solution (AND/OR DOCS ON ALL STRING INTERPOLATION) would be
>less
>>> likely to increase the ocurrence of CWE TOP 25 #1 and #2"
>>>
>>> printf is often dangerous and wrng because things aren't escaped (or
>>> scope is not controlled, or things are mutable)
>>>
>>>
>>> ~"Make it hard to do; or easy to do the right way"
>>>
>>>
>>>>
>>>> Regards,
>>>> Nick.
>>>>
>>>> --
>>>> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
>>>>
>>>
>>>
>>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Python-ideas mailing list
>Python-ideas at python.org
>https://mail.python.org/mailman/listinfo/python-ideas
>Code of Conduct: http://python.org/psf/codeofconduct/

-- 
Sent from my Nexus 5 with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150811/97cddcd8/attachment.html>

More information about the Python-ideas mailing list