Carl Ekerot added the comment:
> The gettext module might be vulnerable to f-string attacks
It is. See the example in the first comment:
gettext.c2py('f"{os.system(\'sh\')}"')(0)
This vulnerability seems to be solved in Xiang's patch. The DoS aspect is
interesting though, since there's no constraints against malicious use of the
power-operator, say "9**9**9**..**9". This too would be solved by implementing
a parser with only simple arithmetics.
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue28563>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
