On 5/1/07, Jim Jewett <[EMAIL PROTECTED]> wrote:
> On 5/1/07, Guido van Rossum <[EMAIL PROTECTED]> wrote:
> > On 5/1/07, Jim Jewett <[EMAIL PROTECTED]> wrote:
>
> > > There are some things you can safely do with even arbitrary objects --
> > > such as appending them to a list.
>
> > > By mentioning security as a reason to restrict the format, it suggests
> > > that this is another safe context. It isn't.
>
> > But your presumption that the map is already evil makes it irrelevant
> > whether the format is safe or not. Having the evil map is the problem,
> > not passing it to the format operation.
>
> Using a map was probably misleading. Let me rephrase:
>
> While the literal string itself is safe, the format function is only
> as safe as the objects being formatted. The example below gets
> person.name; if the person object itself is malicious, then even this
> attribute access could run arbitrary code.
>
> "My name is {0.name}".format(person)
And my point is that the security concerns here are not about
malicious arguments to the format() method; that's not part of the
threat model. If you have a person object in your program you can't
trust, you have a problem whether or not you use the format method.
The threat we're concerned here (as Patrick explained in his
response) is format strings provided by translators or non-root
webmasters or (less likely) end users. Translation is probably the
main use case; another use case is exemplified by mailman, which gives
list owners the means to edit list-specific html templates which are
used as format strings. We want to prevent those folks from
(accidentally or intentionally) crashing the web server or elevating
their privileges.
--
--Guido van Rossum (home page: http://www.python.org/~guido/)
_______________________________________________
Python-3000 mailing list
[email protected]
http://mail.python.org/mailman/listinfo/python-3000
Unsubscribe:
http://mail.python.org/mailman/options/python-3000/archive%40mail-archive.com
