Path: csiph.com!fu-berlin.de!uni-berlin.de!not-for-mail From: Chris Angelico Newsgroups: comp.lang.python Subject: Re: Python keyword args can be any string Date: Thu, 18 Feb 2016 16:57:23 +1100 Lines: 43 Message-ID: References: <56c559c2$0$2916$c3e8da3$76491128@news.astraweb.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Trace: news.uni-berlin.de P93/iHTCi7BnovY1lgiQgAJ+POmBWhOlSutUQz6M5bMQ== Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.001 X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'received:209.85.223': 0.03; 'subject:Python': 0.05; 'cc:addr:python-list': 0.09; 'dict': 0.09; 'kwargs': 0.09; 'subject:string': 0.09; 'bug': 0.10; 'def': 0.13; 'thu,': 0.15; "'':": 0.16; "'__doc__',": 0.16; '2016': 0.16; '23,': 0.16; '42,': 0.16; 'attributes,': 0.16; 'feature?': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'received:io': 0.16; 'received:psf.io': 0.16; 'string:': 0.16; "{'':": 0.16; 'wrote:': 0.16; 'accepting': 0.18; '>>>': 0.20; 'cc:2**0': 0.20; 'cc:addr:python.org': 0.20; 'arguments': 0.22; 'suppose': 0.22; 'pass': 0.22; 'feb': 0.23; 'xml': 0.24; 'header :In-Reply-To:1': 0.24; "doesn't": 0.26; 'message- id:@mail.gmail.com': 0.27; 'specifically': 0.28; "skip:' 10": 0.28; 'blocking': 0.29; 'consequence': 0.29; 'node': 0.29; 'handled': 0.29; 'skip:[ 10': 0.31; 'probably': 0.31; 'another': 0.32; "can't": 0.32; 'point': 0.33; 'class': 0.33; "d'aprano": 0.33; 'steven': 0.33; 'received:google.com': 0.35; 'something': 0.35; 'but': 0.36; 'received:209.85': 0.36; 'possible': 0.36; 'keyword': 0.36; 'pm,': 0.36; 'subject:: ': 0.37; 'seem': 0.37; 'received:209': 0.38; 'end': 0.39; 'build': 0.40; 'space': 0.40; 'today': 0.65; 'situation': 0.67; 'worth': 0.67; 'chrisa': 0.84; 'dict.': 0.84; 'subject:any': 0.84; 'to:none': 0.91; 'hassle': 0.91; 'preventing': 0.91 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=zB7fMnNjBKKFusyIclcGrgnYCb2OS1e7t2n4SzLXH0I=; b=zvCHI+QZ029LFUANRzYJbLRq1FmnS+nRJOq7ECr9EFaHNMcMbL6n6sNHroLPIDsr2o Xd/dKgUST17qL2/ffEFnBhLfpBszoTk/hqGBU7mdbJ3xhkTCKwLObRRFKBRJL321VUWb 6EfExvK0c8tNNNn30pNc/dxB3QHQOrFU+KSkxGLGt+PBZgTRTZgQFmOOqDrBogaZKpSB GdPXj4ZIKjMkDONDNLi5VEwMagm7UKcpf70LZBIH3I6VsqNeVKB3dZYUwEsyYhlncX50 TG8cWpyc+Poq31RBscxAwB7eE2ro87uwVBVrkhoFM6tOoHL4IzbasX2aluJAdmtb+Kr1 b9Pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:cc:content-type; bh=zB7fMnNjBKKFusyIclcGrgnYCb2OS1e7t2n4SzLXH0I=; b=W7TAvRO7CNGrBW1TEAralyqC8vOQCcxYjx0usTMlUy6H/BQDwKREfFVxbkSamDKZhv b6ETbeK1ZlUN6twRaVrtfNBOqOo+4LonYiZZQIXFuNw3Xdueoj1wGKUCKH0sXhJrkp+g 3wJogdwwERTMGjeFMsXbUJ0GOonjkW39ikNDldcEruLD0RZM21vwau4lQ29cz7kFcS1F c8M7yOmVzeejexHcUPI69V9PwqXnuovyPDeKBf+gAKSz0N+KFM4zZh7GWEA5tJBBkM/e znPY74tzekLD+a8HyhmpCKMBIRxiBi6CJm+r5SQ8avZFUR8QI6LcFppPelYC8tvZUeIa U8NA== X-Gm-Message-State: AG10YOQ5S/l51XwfPVrTs4bBrHUOxCC0UFOeSwyD4Rq7oZ46092CbVpu55a7WKlKwh046d9Y+kbUsRA6Tl7VHQ== X-Received: by 10.107.47.162 with SMTP id v34mr6769861iov.19.1455775043414; Wed, 17 Feb 2016 21:57:23 -0800 (PST) In-Reply-To: <56c559c2$0$2916$c3e8da3$76491128@news.astraweb.com> X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.21rc2 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: csiph.com comp.lang.python:103084 On Thu, Feb 18, 2016 at 4:42 PM, Steven D'Aprano wrote: > Today I learned that **kwargs style keyword arguments can be any string: > > > py> def test(**kw): > ... print(kw) > ... > py> kwargs = {'abc-def': 42, '': 23, '---': 999, '123': 17} > py> test(**kwargs) > {'': 23, '123': 17, '---': 999, 'abc-def': 42} > > > Bug or feature? Probably neither. It's something that can't hurt, so there's no point specifically blocking it. You can do the same thing with other dictionaries: >>> globals()["abc-def"] = 42 >>> dir() ['__builtins__', '__doc__', '__loader__', '__name__', '__package__', '__spec__', 'abc-def'] >>> class Blob: pass ... >>> b = Blob() >>> b.__dict__[""] = 23 >>> dir(b) ['', '__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__gt__', '__hash__', '__init__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__'] I suppose it's possible for this to be a vulnerability, eg if you build up an XML node using keyword arguments for attributes, and end up accepting something with a space in it. But most of the time, the only consequence is that you use a dict to create a situation that can only be handled with another dict. Doesn't seem worth the hassle of preventing it, but I would also see this as a bizarre thing to deliberately exploit. ChrisA