Eric V. Smith wrote: > Nick Coghlan wrote: >>> Feature: Exception raised if attribute with leading underscore accessed. >>> >>> The syntax supported by the PEP is deliberately limited in an attempt >>> to increase security. This is an additional security measure, which >>> is on by default, but can be optionally disabled if >>> string.flag_format() is used instead of 'somestring'.format(). >> -0 >> >> This is only an issue if implicit access to locals()/globals() is >> permitted, and is unlikely to help much in that case (underscores are >> rarely used with local variables, and those are the most likely to >> contain juicy information which may be leaked) > > That's not true. What this feature is trying to prevent is access to > attributes of the passed in objects. For example:
I should have said "It's not an issue only if locals()/globals() are allowed". It is true that automatic locals()/globals() magnifies this issue, but it exists even without it. Eric. _______________________________________________ Python-3000 mailing list [email protected] http://mail.python.org/mailman/listinfo/python-3000 Unsubscribe: http://mail.python.org/mailman/options/python-3000/archive%40mail-archive.com
