Merge pull request #2387 from enkore/f/placeholders-internals

placeholders: deny access to internals and other unspecified stuff

src/borg/archiver.py

@@ -1750,6 +1750,10 @@ class Archiver:
 
             The version of borg, only major, minor and patch version, e.g.: 1.0.8
 
+        If literal curly braces need to be used, double them for escaping::
+
+            borg create /path/to/repo::{{literal_text}}
+
         Examples::
 
             borg create /path/to/repo::{hostname}-{user}-{utcnow} ...

src/borg/helpers.py

@@ -110,6 +110,10 @@ class PlaceholderError(Error):
     """Formatting Error: "{}".format({}): {}({})"""
 
 
+class InvalidPlaceholder(PlaceholderError):
+    """Invalid placeholder "{}" in string: {}"""
+
+
 def check_extension_modules():
     from . import platform, compress, item
     if hashindex.API_VERSION != '1.1_01':
@@ -780,8 +784,13 @@ class DatetimeWrapper:
 
 
 def format_line(format, data):
+    for _, key, _, conversion in Formatter().parse(format):
+        if not key:
+            continue
+        if conversion or key not in data:
+            raise InvalidPlaceholder(key, format)
     try:
-        return format.format(**data)
+        return format.format_map(data)
     except Exception as e:
         raise PlaceholderError(format, data, e.__class__.__name__, str(e))
 

src/borg/testsuite/helpers.py

@@ -1213,6 +1213,10 @@ def test_format_line_erroneous():
         assert format_line('{invalid}', data)
     with pytest.raises(PlaceholderError):
         assert format_line('{}', data)
+    with pytest.raises(PlaceholderError):
+        assert format_line('{now!r}', data)
+    with pytest.raises(PlaceholderError):
+        assert format_line('{now.__class__.__module__.__builtins__}', data)
 
 
 def test_replace_placeholders():