The Case Against Python 3

Paul Moore p.f.moore at gmail.com
Thu Dec 1 09:03:34 EST 2016

• Previous message (by thread): Asyncio -- delayed calculation
• Next message (by thread): The Case Against Python 3
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

On Tuesday, 29 November 2016 01:01:01 UTC, Chris Angelico wrote:
> So what is it that's trying to read something and is calling an
> f-string a mere string?

gettext.c2py:
 """Gets a C expression as used in PO files for plural forms and returns a
 Python lambda function that implements an equivalent expression.
 """
 # Security check, allow only the "n" identifier
 import token, tokenize
 tokens = tokenize.generate_tokens(io.StringIO(plural).readline)
 try:
 danger = [x for x in tokens if x[0] == token.NAME and x[1] != 'n']
 except tokenize.TokenError:
 raise ValueError('plural forms expression error, maybe unbalanced parenthesis')
 else:
 if danger:
 raise ValueError('plural forms expression could be dangerous')
So the only things that count as DANGER are NAME tokens that aren't "n". That seems pretty permissive...
While I agree that f-strings are more dangerous than people will immediately realise (the mere fact that we call them f-*strings* when they definitely aren't strings is an example of that), the problem here is clearly (IMO) with the sloppy checking in gettext.
Paul

---

• Previous message (by thread): Asyncio -- delayed calculation
• Next message (by thread): The Case Against Python 3
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-list mailing list