[Python-ideas] Re: Allowing `str.format` to format one or more parameters instead of all parameters
On 29/04/23 6:59 am, Bruce Leban wrote:
To take this further, suppose you write 'Hello {username} from
{company}'.format(userdata).format(companydata) where the user has set
their name to "Dr. {secret} Evil" where {secret} is something in
companydata that should not be exposed.
More generally, a format string should be treated as code, and
doing anything that could result in untrusted user data being
treated as code is a Bad Idea.
--
Greg
___
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/python-ideas@python.org/message/55PB23XWOLEGM7OWEGPH7ZVAK7MWRIFE/
Code of Conduct: http://python.org/psf/codeofconduct/
[Python-ideas] Re: Allowing `str.format` to format one or more parameters instead of all parameters
On Tue, Apr 25, 2023 at 6:16 PM Joao S. O. Bueno wrote:
>
> Worst case scenario, one goes from one non-running program to a running
> program producing partially incorrect output. Any legacy code that was not
> working in the first place, is obviously, clearly, not critical for anyone,
> otherwise it would have been fixed already.
>
Worst case scenario: use of this feature introduces bugs. For example,
security holes.
Generally, formatting and parsing are not idempotent and you should not
reformat or reparse already processed strings. See
http://google-gruyere.appspot.com/ to learn more about the pitfalls and in
particular
http://google-gruyere.appspot.com/part5#5__information_disclosure_bug_3
On Fri, Apr 28, 2023 at 8:49 AM MRAB wrote:
>
> What happens if you do '{open}...{close}'.partial_format(open='{close}'?
> You get '{close}...{close}', and you're going to have a problem using
> that as a format string and replacing only the second '{close}'.
>
To take this further, suppose you write 'Hello {username} from
{company}'.format(userdata).format(companydata) where the user has set
their name to "Dr. {secret} Evil" where {secret} is something in companydata
that should not be exposed. The presence of this bug is going to be very
hard to find.
This seems like an obvious case of a non-solution to a non-problem that's
actually worse than no solution at all.
--- Bruce
___
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/python-ideas@python.org/message/M3QBMY22VKGOTDXMBBA6ED54ETUVFNDH/
Code of Conduct: http://python.org/psf/codeofconduct/
[Python-ideas] Re: Allowing `str.format` to format one or more parameters instead of all parameters
I suggest you guys implement this as a library, if you want it.
You don't need to make your `partial_format` a method, it can just be a
normal function.
There's no need to fiddle with the built-in string or format function for
this.
On Fri, 28 Apr 2023, 22:27 Matsuoka Takuo, wrote:
> What if it's done not by format method but by a separete method, say,
> format_partially or something? The method is different from format
> also in that it should leave "{{" and "}}" unaltered.
>
> On Fri, 28 Apr 2023 at 00:05, Matthias Görgens
> wrote:
> >
> > Does it have any use case that's not already served by functools.partial?
>
> I guess you mean given
>
> partially_formatted_string = unformatted_string.format(color="blue")
>
> that
>
> partially_formatted_string.format
>
> would be equivalent to
>
> partial(unformatted_string.format, color="blue")
>
> However, I think a partially formatted string can help since it will
> have other methods than format as well. For instance, given
>
> unformatted_string = '{color}{text}'
>
> doing the following thing only with functools.partial could require
> more care than you would be willing to give.
>
> string = (unformatted_string.format(color="blue")
> + unformatted_string
> ).format(text="Spanish", color="red")
>
> (One of the easiest ways might be
>
> ```
> from functools import partial
> from operator import call
>
> format_ = unformatted_string.format
> string = "".join(map(partial(call, text="Spanish"),
> (partial(format_, color="blue"),
> partial(format_, color="red"), )))
> ```
>
> However, note the following, more straight-forward code doesn't work:
>
> ```
> string = "".join(map(partial(call, text="Spanish", color="red"),
> (partial(format_, color="blue"),
> format_, )))
> ```
> )
>
> Now, how about this?
>
> ```
> format_ = '{a}{b}{c}'.format
>
> string = ((format_(a=a0) + format_(b=b0)).format(c=c0)
> + (format_(a=a1) + format_(c=c1)).format(b=b1)
> + (format_(b=b2) + format_(c=c2)).format(a=a2)
> ).format(a=a3, b=b3, c=c3)
> ```
>
> (For instance, the following code fails:
>
> ```
> from itertools import chain
>
> string = "".join(map(partial(call, a=a3, b=b3, c=c3),
> chain.from_iterable(
> map(map,
> (partial(partial, c=c0),
> partial(partial, b=b1),
> partial(partial, a=a2), ),
> ((partial(format_, a=a0),
>partial(format_, b=b0), ),
> (partial(format_, a=a1),
>partial(format_, c=c1), ),
> (partial(format_, b=b2),
>partial(format_, c=c2), ), ))
> )))
> ```
> )
>
> Best regards,
> Takuo Matsuoka
> ___
> Python-ideas mailing list -- python-ideas@python.org
> To unsubscribe send an email to python-ideas-le...@python.org
> https://mail.python.org/mailman3/lists/python-ideas.python.org/
> Message archived at
> https://mail.python.org/archives/list/python-ideas@python.org/message/K5RPB4XOQROYTWQHI5A4DVTKB2RNY6OC/
> Code of Conduct: http://python.org/psf/codeofconduct/
>
___
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/python-ideas@python.org/message/BOTC5QLWI462NSNQCP6UT3FJ24Y2PMZS/
Code of Conduct: http://python.org/psf/codeofconduct/
[Python-ideas] Re: Allowing `str.format` to format one or more parameters instead of all parameters
On 2023-04-28 15:25, Matsuoka Takuo wrote:
What if it's done not by format method but by a separete method, say,
format_partially or something? The method is different from format
also in that it should leave "{{" and "}}" unaltered.
On Fri, 28 Apr 2023 at 00:05, Matthias Görgens
wrote:
Does it have any use case that's not already served by functools.partial?
I guess you mean given
partially_formatted_string = unformatted_string.format(color="blue")
that
partially_formatted_string.format
would be equivalent to
partial(unformatted_string.format, color="blue")
However, I think a partially formatted string can help since it will
have other methods than format as well. For instance, given
unformatted_string = '{color}{text}'
doing the following thing only with functools.partial could require
more care than you would be willing to give.
string = (unformatted_string.format(color="blue")
+ unformatted_string
).format(text="Spanish", color="red")
(One of the easiest ways might be
```
from functools import partial
from operator import call
format_ = unformatted_string.format
string = "".join(map(partial(call, text="Spanish"),
(partial(format_, color="blue"),
partial(format_, color="red"), )))
```
However, note the following, more straight-forward code doesn't work:
```
string = "".join(map(partial(call, text="Spanish", color="red"),
(partial(format_, color="blue"),
format_, )))
```
)
Now, how about this?
```
format_ = '{a}{b}{c}'.format
string = ((format_(a=a0) + format_(b=b0)).format(c=c0)
+ (format_(a=a1) + format_(c=c1)).format(b=b1)
+ (format_(b=b2) + format_(c=c2)).format(a=a2)
).format(a=a3, b=b3, c=c3)
```
(For instance, the following code fails:
```
from itertools import chain
string = "".join(map(partial(call, a=a3, b=b3, c=c3),
chain.from_iterable(
map(map,
(partial(partial, c=c0),
partial(partial, b=b1),
partial(partial, a=a2), ),
((partial(format_, a=a0),
partial(format_, b=b0), ),
(partial(format_, a=a1),
partial(format_, c=c1), ),
(partial(format_, b=b2),
partial(format_, c=c2), ), ))
)))
```
)
What happens if you do '{open}...{close}'.partial_format(open='{close}'?
You get '{close}...{close}', and you're going to have a problem using
that as a format string and replacing only the second '{close}'.
Or how about '{open}...{close}'.partial_format(open='{')? You get
'{...{close}'. Try using that as a format string!
That's why I think that the result of a partial format should be an
instance of a new class and not a string.
___
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/python-ideas@python.org/message/TQOQ5CRLDTFXO2YS24UMLQB7ANXQNDWI/
Code of Conduct: http://python.org/psf/codeofconduct/
[Python-ideas] Re: Allowing `str.format` to format one or more parameters instead of all parameters
What if it's done not by format method but by a separete method, say,
format_partially or something? The method is different from format
also in that it should leave "{{" and "}}" unaltered.
On Fri, 28 Apr 2023 at 00:05, Matthias Görgens
wrote:
>
> Does it have any use case that's not already served by functools.partial?
I guess you mean given
partially_formatted_string = unformatted_string.format(color="blue")
that
partially_formatted_string.format
would be equivalent to
partial(unformatted_string.format, color="blue")
However, I think a partially formatted string can help since it will
have other methods than format as well. For instance, given
unformatted_string = '{color}{text}'
doing the following thing only with functools.partial could require
more care than you would be willing to give.
string = (unformatted_string.format(color="blue")
+ unformatted_string
).format(text="Spanish", color="red")
(One of the easiest ways might be
```
from functools import partial
from operator import call
format_ = unformatted_string.format
string = "".join(map(partial(call, text="Spanish"),
(partial(format_, color="blue"),
partial(format_, color="red"), )))
```
However, note the following, more straight-forward code doesn't work:
```
string = "".join(map(partial(call, text="Spanish", color="red"),
(partial(format_, color="blue"),
format_, )))
```
)
Now, how about this?
```
format_ = '{a}{b}{c}'.format
string = ((format_(a=a0) + format_(b=b0)).format(c=c0)
+ (format_(a=a1) + format_(c=c1)).format(b=b1)
+ (format_(b=b2) + format_(c=c2)).format(a=a2)
).format(a=a3, b=b3, c=c3)
```
(For instance, the following code fails:
```
from itertools import chain
string = "".join(map(partial(call, a=a3, b=b3, c=c3),
chain.from_iterable(
map(map,
(partial(partial, c=c0),
partial(partial, b=b1),
partial(partial, a=a2), ),
((partial(format_, a=a0),
partial(format_, b=b0), ),
(partial(format_, a=a1),
partial(format_, c=c1), ),
(partial(format_, b=b2),
partial(format_, c=c2), ), ))
)))
```
)
Best regards,
Takuo Matsuoka
___
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/python-ideas@python.org/message/K5RPB4XOQROYTWQHI5A4DVTKB2RNY6OC/
Code of Conduct: http://python.org/psf/codeofconduct/
