On 6/19/07, Chris McDonough <[EMAIL PROTECTED]> wrote: > Given that security is a concern at all, the only truly reasonable > way to "limit security issues" is to disallow item and attribute > access completely within the string templating expression syntax. It > seems gratuituous to me to encourage string templating expressions > with item/attribute access, given that you could do it within the > format arguments just as easily in the 99% case, and we've (well... > I've) happily been living with that restriction for years now. > > But if this syntax is preserved, there really should be no *default* > restrictions on the traversable names within an expression because > this will almost certainly become a hard-to-explain, hard-to-justify > bug magnet as it has become in Zope.
This sounds exactly right to me. I don't have strong feelings either way about attribute lookups in formatting strings, or the security problems they raise. But while it seems a reasonable stance that user-injected getattr()s may pose a security problem, what seems indefensible is the stance that user-injected getattr()s are okay precisely when the attribute being looked up doesn't start with an underscore. A single underscore prefix is a hint to human readers, not to the language itself, and things should stay that way. Greg F _______________________________________________ Python-3000 mailing list [email protected] http://mail.python.org/mailman/listinfo/python-3000 Unsubscribe: http://mail.python.org/mailman/options/python-3000/archive%40mail-archive.com
