On Sun, Nov 27, 2016 at 11:13 AM, Steve D'Aprano <steve+pyt...@pearwood.info> wrote: > So-called f-strings haven't even hit the already been implicated in a > code-injection vulnerability: > > http://bugs.python.org/issue28563 > > I feel kind of vindicated here, because when so-called f-strings were first > proposed I asked about the security implication of another way of > evaluating arbitrary expressions, and I was told that there were no > security implications. Technically that might be true in the sense that > f-strings don't do anything that wasn't already possible, but as the above > bug shows, they can make exploiting code injection trivially easy in cases > where they were previously diabolically hard.
Given that the exploit exists in 2.7, I would say f-strings didn't create this, eval did. The problem is that you absolutely CANNOT "sanitize" something before giving it to eval. An f-string slips past the sanitizer, but so do other things. ChrisA -- https://mail.python.org/mailman/listinfo/python-list