The Case Against Python 3
p.f.moore at gmail.com
Thu Dec 1 09:03:34 EST 2016
On Tuesday, 29 November 2016 01:01:01 UTC, Chris Angelico wrote:
> So what is it that's trying to read something and is calling an
> f-string a mere string?
"""Gets a C expression as used in PO files for plural forms and returns a
Python lambda function that implements an equivalent expression.
# Security check, allow only the "n" identifier
import token, tokenize
tokens = tokenize.generate_tokens(io.StringIO(plural).readline)
danger = [x for x in tokens if x == token.NAME and x != 'n']
raise ValueError('plural forms expression error, maybe unbalanced parenthesis')
raise ValueError('plural forms expression could be dangerous')
So the only things that count as DANGER are NAME tokens that aren't "n". That seems pretty permissive...
While I agree that f-strings are more dangerous than people will immediately realise (the mere fact that we call them f-*strings* when they definitely aren't strings is an example of that), the problem here is clearly (IMO) with the sloppy checking in gettext.
More information about the Python-list