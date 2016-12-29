Hacker News new | comments | show | ask | jobs | submit login
Be Careful with Python's New-Style String Format (pocoo.org)
51 points by BerislavLopac 1 hour ago | hide | past | web | 12 comments | favorite





No, Rust does not have the ability to access any variable in the program via a format string. Rust has this:

   format!("{argument}", argument = "test");   // => "test"
That's just named arguments to the format. Also, that's a macro; it's expanded at compile time.

Python's approach is lame. It should have used something with a limited list of named arguments, or maybe a dict.

reply


Until now I thought the new features were confined to `f""` format strings.

This seems like a really serious misfeature. The kind that needs to be backed out of the release to prevent a security reputation fiasco.

reply


Err, why would you allow for the user to enter arbitrary format strings in the first place?

Might as well write "be careful about eval of arbitrary user provided strings".

reply


Internationalization, usually. Word order differs between languages, and this kind of format allows reordering the inserted values.

reply


Templates. Very useful in many places.

Although if you are using templates in Python, you are likely using jinja2. And they just "fixed" the bug. So you are good to go if your upgrade.

reply


"Customize the look of your blog by editing these templates."

reply


I do love writing python, but it's pretty shocking when I find out you can write something like `event.__init__.__globals__[CONFIG][SECRET_KEY]`. That language just does not care about privacy or information hiding at all, I guess.

reply


You can do the same thing in Java with reflection.

Don't let users run untrusted code. Full stop.

If you need templating use a sandbox like jinja2.

reply


Python's general mentality can be summed as "We are all consenting adults here". If you want to access some part of program or data, you generally can, but the burden of not breaking anything while messing with internals is on you.

This is a great power, but also can become an unlimited source of bugs.

reply


What?

reply


... Uncontrolled format string bugs? In 2016? Really? Someone would fall for that? ..

reply


Old style format strings are perfectly safe for arbitrary user input and commonly used as such.

reply




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: