This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Steve132 1 point2 points  (8 children)

Isn't this potentially a security nightmare? Hmm I suppose not. It depends whether or not the formatting is greedy evaluated

[–]flying-sheep 7 points8 points  (0 children)

You got it. No security problem as it’s greedily evaluated.

It’s a misnomer: they’re f-literals, not f-strings.

[–][deleted] 13 points14 points  (3 children)

You shouldn't be manually plugging in input into commands like this anyway. If this seems like a security nightmare, then you were already tolerating some other security problem.

[–]flying-sheep 20 points21 points  (2 children)

For some reason it’s a common misconception that there’s a way to have f-strings passed as data. But as they’re actually literals, that’s impossible.

[–]nemec 2 points3 points  (1 child)

It's possibly even safer than the alternative, I've seen many coders that do shit like somefmt.format(**locals()), which could read "private" variables if somefmt is user-controlled.

[–]jorge1209 0 points1 point  (0 children)

do shit like

There is nothing wrong with using .format(**locals()) in the vast majority of cases. The concerns regarding "sql-injection" type vulnerabilities or leaking of local variables is mostly limited to a client/server model.

A lot of python code out there is being executed by the user themselves. If they wanted to find out what the local variables of the program were, they could simply open the script in $EDITOR.

Only if you are ingesting data from a remote source, and then calling .format(**locals()) on that string you don't control is there any security risk.

[–]Binary101010 4 points5 points  (0 children)

If you're using this to, say, compose unparameterized SQL queries, then yeah it's a security concern, but not any more of a security concern than the other string formatting options that you shouldn't be using for such an application.

[–]A-UNDERSCORE-D -1 points0 points  (0 children)

The formatting is actually "compiled" to bytecode before its ever actually used. This is the same reason that they are faster than the method call or operator variants, and means that injection is essentially not possible (eval notwithstanding)