On Thu, Jan 5, 2017 at 6:59 PM, Adrian Klaver <adrian.klaver@aklaver.com> wrote:
> Not sure it applies here, but I just ran across a blog from Armin Ronacher.
> I don't always understand what he says, in this case I think I do and it
> might be worth a look:
>
> http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/
It's a reasonable concern, but no, it doesn't apply to us. From the
Python library I'm only using the parser to parse the format
micro-language, but not doing anything special with the field name, in
particular not applying attribute lookup: trying `{0.__class__}`
wouldn't try to extract the `__class__` attribute from the first
positional argument, but would look up for a keyword argument with
such name and fail with a KeyError. Also, we check and explicitly
forbid placeholder modifier.
https://github.com/psycopg/psycopg2/blob/a8a3a298/lib/sql.py#L227
-- Daniele