On 7/22/2010 5:45 AM, python-dev-requ...@python.org wrote:
Message: 10
Date: Thu, 22 Jul 2010 16:04:00 +0200
From: Bartosz Tarnowski<bartosz-tarnow...@zlotniki.pl>
To:python-dev@python.org
Subject: [Python-Dev] Set the namespace free!
Message-ID:<4c484fd0.2080...@zlotniki.pl>
Content-Type: text/plain; charset=UTF-8; format=flowed
Hello, guys.
Python has more and more reserved words over time. It becomes quite annoying,
since you can not use variables and attributes of such names. Suppose I want to
make an XML parser that reads a document and returns an object with attributes
corresponding to XML element attributes:
> elem = parse_xml("<element param='boo'/>")
> print elem.param
What should I do then, when the attribute is a reserver word?
That's a misuse of attributes. When you need objects with
unconstrained fields, inherit them from "dict", and write
print(elem['param'])
This protects you not only from name clashes, but from difficulties
with names that don't fit Python attribute syntax. (BeautifulSoup
occasionally crashes due to this problem when parsing malformed HTML).
You can still provide a "__getattr__" function, if desired, for
convenient access to commonly used attributes.
Using "setattr" to set attributes, where the attribute string
comes from an external source, can create a security hole. Remember
that you can override functions on an object, for that object only,
by setting an attribute. This offers the opportunity for an attack
similar to SQL injection. Think about what this can do to a parser
that has and calls a method "display" for each element:
<element display='lambda x : subprocess.Popen("rm -r -f /")'>
You are pwned.
John Nagle
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
