"it looks like all the avenues for arbitrary code execution while checking if an exception handler matches a thrown an exception are closed off."

This seems to be directly contradicted by your previous sentence: "the except clause accepts any expressions producing a tuple or BaseException instance".



>>> def f(): raise AttributeError
>>> try: raise IndexError
... except f(): raise KeyError
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 2, in <module>
  File "<stdin>", line 1, in f


(note that f() is evaluated only if the body of "try" actually raises)
