On 6/20/07, Greg Falcon <[EMAIL PROTECTED]> wrote: > On 6/19/07, Chris McDonough <[EMAIL PROTECTED]> wrote: > > Given that security is a concern at all, the only truly reasonable > > way to "limit security issues" is to disallow item and attribute > > access completely within the string templating expression syntax. It > > seems gratuituous to me to encourage string templating expressions > > with item/attribute access, given that you could do it within the > > format arguments just as easily in the 99% case, and we've (well... > > I've) happily been living with that restriction for years now. > > > > But if this syntax is preserved, there really should be no *default* > > restrictions on the traversable names within an expression because > > this will almost certainly become a hard-to-explain, hard-to-justify > > bug magnet as it has become in Zope. > > This sounds exactly right to me. I don't have strong feelings either > way about attribute lookups in formatting strings, or the security > problems they raise. But while it seems a reasonable stance that > user-injected getattr()s may pose a security problem, what seems > indefensible is the stance that user-injected getattr()s are okay > precisely when the attribute being looked up doesn't start with an > underscore. > > A single underscore prefix is a hint to human readers, not to the > language itself, and things should stay that way.
Since Talin said he wanted to see what others had to say, I am going to say I agree with this sentiment. I want string formatting to be dead-simple. That means either leaving out overly fancy formatting abilities and keeping it simple, or make it very intuitive with as few special cases as possible. -Brett _______________________________________________ Python-3000 mailing list [email protected] http://mail.python.org/mailman/listinfo/python-3000 Unsubscribe: http://mail.python.org/mailman/options/python-3000/archive%40mail-archive.com
