On Tuesday, 29 November 2016 01:01:01 UTC, Chris Angelico wrote:
> So what is it that's trying to read something and is calling an
> f-string a mere string?
gettext.c2py:
"""Gets a C expression as used in PO files for plural forms and returns a
Python lambda function that implements an equivalent expression.
"""
# Security check, allow only the "n" identifier
import token, tokenize
tokens = tokenize.generate_tokens(io.StringIO(plural).readline)
try:
danger = [x for x in tokens if x[0] == token.NAME and x[1] != 'n']
except tokenize.TokenError:
raise ValueError('plural forms expression error, maybe unbalanced
parenthesis')
else:
if danger:
raise ValueError('plural forms expression could be dangerous')
So the only things that count as DANGER are NAME tokens that aren't "n". That
seems pretty permissive...
While I agree that f-strings are more dangerous than people will immediately
realise (the mere fact that we call them f-*strings* when they definitely
aren't strings is an example of that), the problem here is clearly (IMO) with
the sloppy checking in gettext.
Paul
--
https://mail.python.org/mailman/listinfo/python-list
