On 5/1/07, Guido van Rossum <[EMAIL PROTECTED]> wrote:
> On 5/1/07, Jim Jewett <[EMAIL PROTECTED]> wrote:
> > Note that while (literal strings used as) format strings are
> > effectively sandboxed, the formatted objects themselves are not.
> > "My name is {0[name]}".format(evil_map)
> > would still allow evil_map to run arbitrary code.
> And how on earth would that be a security threat?
There are some things you can safely do with even arbitrary objects --
such as appending them to a list.
By mentioning security as a reason to restrict the format, it suggests
that this is another safe context. It isn't.
-jJ
_______________________________________________
Python-3000 mailing list
[email protected]
http://mail.python.org/mailman/listinfo/python-3000
Unsubscribe:
http://mail.python.org/mailman/options/python-3000/archive%40mail-archive.com
