Can I suggest adding a "Specification" section (see https://www.python.org/dev/peps/pep-0012/#suggested-sections for the suggested sections to have in a PEP)?
When you first pull up the PEP it goes from "Rationale" to "Valid Locations for LiteralString". As a reader that doesn't point me at a valid start point to capture the key details I need to know to understand what changes to Python are being proposed. For instance, is LiteralString supported to be a new built-in? Is it a subclass of str? I have no way to know from the first section of the PEP that isn't trying to convince me why this PEP is worth reading. On Mon, Feb 7, 2022 at 3:38 PM Pradeep Kumar Srinivasan <gohan...@gmail.com> wrote: > PEP 675 [1] introduces a supertype for precise literal string types, such > as `Literal["foo"]`, called `LiteralString`. > > The PEP allows libraries to distinguish the type of command strings from > data. Powerful, command-executing libraries try to prevent security > vulnerabilities by accepting arguments separately from the SQL query or > shell command. However, these libraries have no way to prevent programmers > from, say, using f-strings to embed arguments within the command string, > which can allow malicious users to execute arbitrary commands (called > "SQL/shell injection"). With this PEP, libraries can rely on type checkers > to prevent such common, undesired uses. > > Scala has a very similar concept that is used to prevent SQL injection at > compile time. [5] We also discuss the drawbacks of alternative approaches, > such as security linters, full taint analysis, and NewTypes [6]. > > Since we have reached consensus on the PEP in typing-sig [2], we wanted to > get your comments and suggestions before submitting to the Steering > Council. > > This PEP is mainly useful for type checking. There are no changes to > Python syntax or runtime behavior. > > Discussions: > + typing-sig: [2] > + BPO issue suggesting using this PEP to prevent vulnerabilities in > loggers: [4] > + Reddit thread on r/Python discussing this PEP: [3] > > Thanks, > S Pradeep Kumar > Graham Bleaney > > [1]: https://www.python.org/dev/peps/pep-0675/ > [2]: > https://mail.python.org/archives/list/typing-...@python.org/thread/VB74EHNM4RODDFM64NEEEBJQVAUAWIAW/ > [3]: > https://www.reddit.com/r/Python/comments/r71lzi/pep_675_arbitrary_literal_strings/ > [4]: https://bugs.python.org/issue46200 > [5]: > https://www.python.org/dev/peps/pep-0675/#literal-string-types-in-scala > [6]: https://www.python.org/dev/peps/pep-0675/#rejected-alternatives > _______________________________________________ > Python-Dev mailing list -- python-dev@python.org > To unsubscribe send an email to python-dev-le...@python.org > https://mail.python.org/mailman3/lists/python-dev.python.org/ > Message archived at > https://mail.python.org/archives/list/python-dev@python.org/message/AXR3ZBEZF2UTBC2RFCASBTQB4ZYNQGET/ > Code of Conduct: http://python.org/psf/codeofconduct/ >
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/7O66E32XD6ZWLQHW55OPWBJ6AQNF7SYT/ Code of Conduct: http://python.org/psf/codeofconduct/
