Steve D'Aprano wrote:
I daresay you are right that a sufficiently clever adversary may have found an exploit. But there's no sign that anyone actually did find an exploit, until f-strings made exploiting this trivial.
The person who wrote the bug report found at least one way of exploiting it that doesn't require f-strings. I agree that f-strings are not to blame here. If we really want to avoid breaking anyone's ill-conceived attempts at sandboxing eval, we'd better not add anything more to the language, ever, because nobody can foresee all the possible consequences. -- Greg -- https://mail.python.org/mailman/listinfo/python-list
