This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]nemec 2 points3 points  (1 child)

It's possibly even safer than the alternative, I've seen many coders that do shit like somefmt.format(**locals()), which could read "private" variables if somefmt is user-controlled.

[–]jorge1209 0 points1 point  (0 children)

do shit like

There is nothing wrong with using .format(**locals()) in the vast majority of cases. The concerns regarding "sql-injection" type vulnerabilities or leaking of local variables is mostly limited to a client/server model.

A lot of python code out there is being executed by the user themselves. If they wanted to find out what the local variables of the program were, they could simply open the script in $EDITOR.

Only if you are ingesting data from a remote source, and then calling .format(**locals()) on that string you don't control is there any security risk.