2009-04-22 02:42:06 -04:00
|
|
|
PEP: 383
|
|
|
|
Title: Non-decodable Bytes in System Character Interfaces
|
|
|
|
Author: Martin v. Löwis <martin@v.loewis.de>
|
2009-05-17 12:29:24 -04:00
|
|
|
Status: Final
|
2009-04-22 02:42:06 -04:00
|
|
|
Type: Standards Track
|
|
|
|
Content-Type: text/x-rst
|
|
|
|
Created: 22-Apr-2009
|
|
|
|
Python-Version: 3.1
|
|
|
|
Post-History:
|
|
|
|
|
|
|
|
Abstract
|
|
|
|
========
|
|
|
|
|
|
|
|
File names, environment variables, and command line arguments are
|
|
|
|
defined as being character data in POSIX; the C APIs however allow
|
|
|
|
passing arbitrary bytes - whether these conform to a certain encoding
|
|
|
|
or not. This PEP proposes a means of dealing with such irregularities
|
|
|
|
by embedding the bytes in character strings in such a way that allows
|
|
|
|
recreation of the original byte string.
|
|
|
|
|
|
|
|
Rationale
|
|
|
|
=========
|
|
|
|
|
|
|
|
The C char type is a data type that is commonly used to represent both
|
|
|
|
character data and bytes. Certain POSIX interfaces are specified and
|
|
|
|
widely understood as operating on character data, however, the system
|
|
|
|
call interfaces make no assumption on the encoding of these data, and
|
|
|
|
pass them on as-is. With Python 3, character strings use a
|
|
|
|
Unicode-based internal representation, making it difficult to ignore
|
|
|
|
the encoding of byte strings in the same way that the C interfaces can
|
|
|
|
ignore the encoding.
|
|
|
|
|
2009-04-22 15:08:10 -04:00
|
|
|
On the other hand, Microsoft Windows NT has corrected the original
|
2009-04-22 02:42:06 -04:00
|
|
|
design limitation of Unix, and made it explicit in its system
|
|
|
|
interfaces that these data (file names, environment variables, command
|
|
|
|
line arguments) are indeed character data, by providing a
|
|
|
|
Unicode-based API (keeping a C-char-based one for backwards
|
|
|
|
compatibility).
|
|
|
|
|
|
|
|
For Python 3, one proposed solution is to provide two sets of APIs: a
|
|
|
|
byte-oriented one, and a character-oriented one, where the
|
|
|
|
character-oriented one would be limited to not being able to represent
|
|
|
|
all data accurately. Unfortunately, for Windows, the situation would
|
|
|
|
be exactly the opposite: the byte-oriented interface cannot represent
|
|
|
|
all data; only the character-oriented API can. As a consequence,
|
|
|
|
libraries and applications that want to support all user data in a
|
|
|
|
cross-platform manner have to accept mish-mash of bytes and characters
|
|
|
|
exactly in the way that caused endless troubles for Python 2.x.
|
|
|
|
|
|
|
|
With this PEP, a uniform treatment of these data as characters becomes
|
|
|
|
possible. The uniformity is achieved by using specific encoding
|
|
|
|
algorithms, meaning that the data can be converted back to bytes on
|
|
|
|
POSIX systems only if the same encoding is used.
|
|
|
|
|
2009-04-25 08:31:23 -04:00
|
|
|
Being able to treat such strings uniformly will allow application
|
|
|
|
writers to abstract from details specific to the operating system, and
|
|
|
|
reduces the risk of one API failing when the other API would have
|
|
|
|
worked.
|
|
|
|
|
2009-04-22 02:42:06 -04:00
|
|
|
Specification
|
|
|
|
=============
|
|
|
|
|
|
|
|
On Windows, Python uses the wide character APIs to access
|
|
|
|
character-oriented APIs, allowing direct conversion of the
|
2022-01-21 06:03:51 -05:00
|
|
|
environmental data to Python str objects (:pep:`277`).
|
2009-04-22 02:42:06 -04:00
|
|
|
|
|
|
|
On POSIX systems, Python currently applies the locale's encoding to
|
2009-04-29 16:01:33 -04:00
|
|
|
convert the byte data to Unicode, failing for characters that cannot
|
2009-05-03 13:32:27 -04:00
|
|
|
be decoded. With this PEP, non-decodable bytes >= 128 will be
|
2009-05-05 17:01:44 -04:00
|
|
|
represented as lone surrogate codes U+DC80..U+DCFF. Bytes below
|
2009-04-30 05:50:16 -04:00
|
|
|
128 will produce exceptions; see the discussion below.
|
2009-04-22 02:42:06 -04:00
|
|
|
|
2022-01-21 06:03:51 -05:00
|
|
|
To convert non-decodable bytes, a new error handler (:pep:`293`)
|
2009-05-10 03:53:39 -04:00
|
|
|
"surrogateescape" is introduced, which produces these surrogates. On
|
|
|
|
encoding, the error handler converts the surrogate back to the
|
|
|
|
corresponding byte. This error handler will be used in any API that
|
|
|
|
receives or produces file names, command line arguments, or
|
|
|
|
environment variables.
|
2009-04-22 02:42:06 -04:00
|
|
|
|
|
|
|
The error handler interface is extended to allow the encode error
|
|
|
|
handler to return byte strings immediately, in addition to returning
|
2009-04-30 04:34:04 -04:00
|
|
|
Unicode strings which then get encoded again (also see the discussion
|
|
|
|
below).
|
2009-04-22 02:42:06 -04:00
|
|
|
|
2011-03-13 22:31:44 -04:00
|
|
|
Byte-oriented interfaces that already exist in Python 3.0 are not
|
2017-03-24 17:11:33 -04:00
|
|
|
affected by this specification. They are neither enhanced nor
|
2009-04-29 02:26:43 -04:00
|
|
|
deprecated.
|
|
|
|
|
2009-04-30 12:24:32 -04:00
|
|
|
External libraries that operate on file names (such as GUI file
|
2012-02-05 03:28:57 -05:00
|
|
|
choosers) should also encode them according to the PEP.
|
2009-04-30 12:24:32 -04:00
|
|
|
|
2009-04-22 02:42:06 -04:00
|
|
|
Discussion
|
|
|
|
==========
|
|
|
|
|
2011-03-13 22:31:44 -04:00
|
|
|
This surrogateescape encoding is based on Markus Kuhn's idea that
|
2015-02-14 12:49:04 -05:00
|
|
|
he called UTF-8b [3]_.
|
2011-03-13 22:31:44 -04:00
|
|
|
|
2009-04-22 02:42:06 -04:00
|
|
|
While providing a uniform API to non-decodable bytes, this interface
|
|
|
|
has the limitation that chosen representation only "works" if the data
|
2009-05-10 03:53:39 -04:00
|
|
|
get converted back to bytes with the surrogateescape error handler
|
2009-04-22 02:42:06 -04:00
|
|
|
also. Encoding the data with the locale's encoding and the (default)
|
|
|
|
strict error handler will raise an exception, encoding them with UTF-8
|
2023-07-14 12:49:20 -04:00
|
|
|
will produce nonsensical data.
|
2009-04-30 05:24:24 -04:00
|
|
|
|
|
|
|
Data obtained from other sources may conflict with data produced
|
|
|
|
by this PEP. Dealing with such conflicts is out of scope of the PEP.
|
2009-04-22 02:42:06 -04:00
|
|
|
|
2009-06-02 17:43:06 -04:00
|
|
|
This PEP allows the possibility of "smuggling" bytes in character
|
|
|
|
strings. This would be a security risk if the bytes are
|
|
|
|
security-critical when interpreted as characters on a target system,
|
|
|
|
such as path name separators. For this reason, the PEP rejects
|
|
|
|
smuggling bytes below 128. If the target system uses EBCDIC, such
|
|
|
|
smuggled bytes may still be a security risk, allowing smuggling of
|
|
|
|
e.g. square brackets or the backslash. Python currently does not
|
|
|
|
support EBCDIC, so this should not be a problem in practice. Anybody
|
|
|
|
porting Python to an EBCDIC system might want to adjust the error
|
|
|
|
handlers, or come up with other approaches to address the security
|
|
|
|
risks.
|
2009-06-02 17:00:50 -04:00
|
|
|
|
2009-04-30 05:50:16 -04:00
|
|
|
Encodings that are not compatible with ASCII are not supported by
|
|
|
|
this specification; bytes in the ASCII range that fail to decode
|
|
|
|
will cause an exception. It is widely agreed that such encodings
|
|
|
|
should not be used as locale charsets.
|
|
|
|
|
2009-04-22 02:42:06 -04:00
|
|
|
For most applications, we assume that they eventually pass data
|
|
|
|
received from a system interface back into the same system
|
2009-04-22 15:08:10 -04:00
|
|
|
interfaces. For example, an application invoking os.listdir() will
|
2009-04-22 02:42:06 -04:00
|
|
|
likely pass the result strings back into APIs like os.stat() or
|
|
|
|
open(), which then encodes them back into their original byte
|
|
|
|
representation. Applications that need to process the original byte
|
|
|
|
strings can obtain them by encoding the character strings with the
|
2009-05-10 03:53:39 -04:00
|
|
|
file system encoding, passing "surrogateescape" as the error handler
|
|
|
|
name. For example, a function that works like os.listdir, except for
|
|
|
|
accepting and returning bytes, would be written as::
|
2009-04-29 02:26:43 -04:00
|
|
|
|
|
|
|
def listdir_b(dirname):
|
|
|
|
fse = sys.getfilesystemencoding()
|
2009-05-10 03:53:39 -04:00
|
|
|
dirname = dirname.decode(fse, "surrogateescape")
|
2009-04-29 02:26:43 -04:00
|
|
|
for fn in os.listdir(dirname):
|
|
|
|
# fn is now a str object
|
2009-05-10 03:53:39 -04:00
|
|
|
yield fn.encode(fse, "surrogateescape")
|
2009-04-22 02:42:06 -04:00
|
|
|
|
2009-05-06 03:53:21 -04:00
|
|
|
The extension to the encode error handler interface proposed by this
|
2009-05-10 03:53:39 -04:00
|
|
|
PEP is necessary to implement the 'surrogateescape' error handler,
|
|
|
|
because there are required byte sequences which cannot be generated
|
|
|
|
from replacement Unicode. However, the encode error handler interface
|
|
|
|
presently requires replacement Unicode to be provided in lieu of the
|
2009-05-06 03:53:21 -04:00
|
|
|
non-encodable Unicode from the source string. Then it promptly
|
|
|
|
encodes that replacement Unicode. In some error handlers, such as the
|
2009-05-10 03:53:39 -04:00
|
|
|
'surrogateescape' proposed here, it is also simpler and more efficient
|
|
|
|
for the error handler to provide a pre-encoded replacement byte
|
|
|
|
string, rather than forcing it to calculating Unicode from which the
|
|
|
|
encoder would create the desired bytes.
|
2009-04-30 04:34:04 -04:00
|
|
|
|
2009-04-30 05:24:24 -04:00
|
|
|
A few alternative approaches have been proposed:
|
|
|
|
|
|
|
|
* create a new string subclass that supports embedded bytes
|
|
|
|
* use different escape schemes, such as escaping with a NUL
|
|
|
|
character, or mapping to infrequent characters.
|
2009-04-30 04:34:04 -04:00
|
|
|
|
2009-04-30 11:56:46 -04:00
|
|
|
Of these proposals, the approach of escaping each byte XX
|
|
|
|
with the sequence U+0000 U+00XX has the disadvantage that
|
|
|
|
encoding to UTF-8 will introduce a NUL byte in the UTF-8
|
|
|
|
sequence. As a consequence, C libraries may interpret this
|
|
|
|
as a string termination, even though the string continues.
|
|
|
|
In particular, the gtk libraries will truncate text in this
|
|
|
|
case; other libraries may show similar problems.
|
|
|
|
|
2009-04-30 03:02:13 -04:00
|
|
|
References
|
|
|
|
==========
|
|
|
|
|
2015-02-14 12:49:04 -05:00
|
|
|
.. [3] UTF-8b
|
2022-11-02 14:34:56 -04:00
|
|
|
https://web.archive.org/web/20090830064219/http://mail.nl.linux.org/linux-utf8/2000-07/msg00040.html
|
2011-03-13 22:31:44 -04:00
|
|
|
|
2009-04-22 02:42:06 -04:00
|
|
|
Copyright
|
|
|
|
=========
|
|
|
|
|
|
|
|
This document has been placed in the public domain.
|