The Case Against Python 3

Paul Moore p.f.moore at gmail.com
Thu Dec 1 09:03:34 EST 2016


On Tuesday, 29 November 2016 01:01:01 UTC, Chris Angelico  wrote:
> So what is it that's trying to read something and is calling an
> f-string a mere string?

gettext.c2py:

    """Gets a C expression as used in PO files for plural forms and returns a
    Python lambda function that implements an equivalent expression.
    """
    # Security check, allow only the "n" identifier
    import token, tokenize
    tokens = tokenize.generate_tokens(io.StringIO(plural).readline)
    try:
        danger = [x for x in tokens if x[0] == token.NAME and x[1] != 'n']
    except tokenize.TokenError:
        raise ValueError('plural forms expression error, maybe unbalanced parenthesis')
    else:
        if danger:
            raise ValueError('plural forms expression could be dangerous')

So the only things that count as DANGER are NAME tokens that aren't "n". That seems pretty permissive...

While I agree that f-strings are more dangerous than people will immediately realise (the mere fact that we call them f-*strings* when they definitely aren't strings is an example of that), the problem here is clearly (IMO) with the sloppy checking in gettext.

Paul


More information about the Python-list mailing list