On Tue, Apr 25, 2023 at 6:16 PM Joao S. O. Bueno <gwidion@gmail.com> wrote:

Worst case scenario, one goes from one non-running program to a running program producing partially incorrect output. Any legacy code that was not working in the first place, is obviously, clearly, not critical for anyone, otherwise it would have been fixed already.

Worst case scenario: use of this feature introduces bugs. For example, security holes.

Generally, formatting and parsing are not idempotent and you should not reformat or reparse already processed strings. See http://google-gruyere.appspot.com/ to learn more about the pitfalls and in particular http://google-gruyere.appspot.com/part5#5__information_disclosure_bug_3 


On Fri, Apr 28, 2023 at 8:49 AM MRAB <python@mrabarnett.plus.com> wrote:

What happens if you do '{open}...{close}'.partial_format(open='{close}'?
You get '{close}...{close}', and you're going to have a problem using
that as a format string and replacing only the second '{close}'.

To take this further, suppose you write 'Hello {username} from {company}'.format(userdata).format(companydata) where the user has set their name to "Dr. {secret} Evil" where {secret} is something in companydata that should not be exposed. The presence of this bug is going to be very hard to find.

This seems like an obvious case of a non-solution to a non-problem that's actually worse than no solution at all.

--- Bruce