The Case Against Python 3
Paul Moore
p.f.moore at gmail.com
Thu Dec 1 09:03:34 EST 2016
On Tuesday, 29 November 2016 01:01:01 UTC, Chris Angelico wrote:
> So what is it that's trying to read something and is calling an
> f-string a mere string?
gettext.c2py:
"""Gets a C expression as used in PO files for plural forms and returns a
Python lambda function that implements an equivalent expression.
"""
# Security check, allow only the "n" identifier
import token, tokenize
tokens = tokenize.generate_tokens(io.StringIO(plural).readline)
try:
danger = [x for x in tokens if x[0] == token.NAME and x[1] != 'n']
except tokenize.TokenError:
raise ValueError('plural forms expression error, maybe unbalanced parenthesis')
else:
if danger:
raise ValueError('plural forms expression could be dangerous')
So the only things that count as DANGER are NAME tokens that aren't "n". That seems pretty permissive...
While I agree that f-strings are more dangerous than people will immediately realise (the mere fact that we call them f-*strings* when they definitely aren't strings is an example of that), the problem here is clearly (IMO) with the sloppy checking in gettext.
Paul
More information about the Python-list
mailing list