New submission from Alexander Belopolsky <belopol...@users.sourceforge.net>:
According to the Format String Syntax section [1], attribute_name must be an
identifier. However, the parser does not catch a violation of this rule and
happily passes non-indentifier strings to getattribute:
>>> class X:
... def __getattribute__(self, a): return 'foo'
...
>>> '{...@}'.format(X())
'foo'
If this is a desirable feature, I think it should be clearly documented because
in some cases, for example when formatted objects are proxies to database
entries, passing arbitrary strings to __getattribute__ may be wasteful at best
and a security hole at worst.
[1] http://docs.python.org/dev/py3k/library/string.html#format-string-syntax
----------
components: Interpreter Core
messages: 117961
nosy: belopolsky
priority: normal
severity: normal
status: open
title: Format parser is too permissive
type: behavior
versions: Python 3.2
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue10021>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
