Message 280120 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	Carl Ekerot, christian.heimes, loewis, serhiy.storchaka, xiang.zhang
Date	2016-11-05.18:17:49
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1478369869.43.0.375278797825.issue28563@psf.upfronthosting.co.za>
In-reply-to

Content
Argh, sorry. I meant to write "The gettext module might be vulnerable to more than f-string attacks.". May I suggest that you have a look at my old patch? It uses an AST visitor to inspect the AST of a gettext plural expression. It allows only a limited set of AST types as well as limited amount of expressions. I consider it a superior solution and a fix for more generic attacks. I haven't tested my patch with f-strings yet. It either refuses f-strings FormattedValue already or can be easily modified to reject it.

Argh, sorry. I meant to write "The gettext module might be vulnerable to more than f-string attacks.".

May I suggest that you have a look at my old patch? It uses an AST visitor to inspect the AST of a gettext plural expression. It allows only a limited set of AST types as well as limited amount of expressions. I consider it a superior solution and a fix for more generic attacks.

I haven't tested my patch with f-strings yet. It either refuses f-strings FormattedValue already or can be easily modified to reject it.

History
Date	User	Action	Args
2016-11-05 18:17:49	christian.heimes	set	recipients: + christian.heimes, loewis, serhiy.storchaka, xiang.zhang, Carl Ekerot
2016-11-05 18:17:49	christian.heimes	set	messageid: <1478369869.43.0.375278797825.issue28563@psf.upfronthosting.co.za>
2016-11-05 18:17:49	christian.heimes	link	issue28563 messages
2016-11-05 18:17:49	christian.heimes	create