On Tuesday, 29 November 2016 01:01:01 UTC, Chris Angelico wrote:
> So what is it that's trying to read something and is calling an
> f-string a mere string?
"""Gets a C expression as used in PO files for plural forms and returns a
Python lambda function that implements an equivalent expression.
# Security check, allow only the "n" identifier
import token, tokenize
tokens = tokenize.generate_tokens(io.StringIO(plural).readline)
danger = [x for x in tokens if x == token.NAME and x != 'n']
raise ValueError('plural forms expression error, maybe unbalanced
raise ValueError('plural forms expression could be dangerous')
So the only things that count as DANGER are NAME tokens that aren't "n". That
seems pretty permissive...
While I agree that f-strings are more dangerous than people will immediately
realise (the mere fact that we call them f-*strings* when they definitely
aren't strings is an example of that), the problem here is clearly (IMO) with
the sloppy checking in gettext.