Message280120
Argh, sorry. I meant to write "The gettext module might be vulnerable to more than f-string attacks.".
May I suggest that you have a look at my old patch? It uses an AST visitor to inspect the AST of a gettext plural expression. It allows only a limited set of AST types as well as limited amount of expressions. I consider it a superior solution and a fix for more generic attacks.
I haven't tested my patch with f-strings yet. It either refuses f-strings FormattedValue already or can be easily modified to reject it. |
|
Date |
User |
Action |
Args |
2016-11-05 18:17:49 | christian.heimes | set | recipients:
+ christian.heimes, loewis, serhiy.storchaka, xiang.zhang, Carl Ekerot |
2016-11-05 18:17:49 | christian.heimes | set | messageid: <1478369869.43.0.375278797825.issue28563@psf.upfronthosting.co.za> |
2016-11-05 18:17:49 | christian.heimes | link | issue28563 messages |
2016-11-05 18:17:49 | christian.heimes | create | |
|