First security bug related to f-strings
eryk sun
eryksun at gmail.com
Sat Nov 5 15:24:29 EDT 2016
On Sat, Nov 5, 2016 at 6:50 PM, Irmen de Jong <irmen.NOSPAM at xs4all.nl> wrote:
> Perhaps. But in those cases you could just leave things on the default.
> If you choose to run the interpreter with eval (and exec) disabled, you should be aware
> that you'll break tools like that. But for other situations (web server etc) it could
> still be useful? I do agree that not being able to use namedtuple (and perhaps other
> things from the stdlib) is a problem then.
Breaking importlib at startup is not an option. An application would
need to import everything before disabling exec.
More information about the Python-list
mailing list