Author Carl Ekerot
Recipients Carl Ekerot, christian.heimes, loewis, serhiy.storchaka, xiang.zhang
Date 2016-11-05.18:00:31
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
> The gettext module might be vulnerable to f-string attacks

It is. See the example in the first comment:


This vulnerability seems to be solved in Xiang's patch. The DoS aspect is interesting though, since there's no constraints against malicious use of the power-operator, say "9**9**9**..**9". This too would be solved by implementing a parser with only simple arithmetics.
Date User Action Args
2016-11-05 18:00:32Carl Ekerotsetrecipients: + Carl Ekerot, loewis, christian.heimes, serhiy.storchaka, xiang.zhang
2016-11-05 18:00:31Carl Ekerotsetmessageid: <>
2016-11-05 18:00:31Carl Ekerotlinkissue28563 messages
2016-11-05 18:00:31Carl Ekerotcreate