The Case Against Python 3
Gregory Ewing
greg.ewing at canterbury.ac.nz
Mon Nov 28 17:35:47 EST 2016
Steve D'Aprano wrote:
> I daresay you are right that a sufficiently clever adversary may have found
> an exploit. But there's no sign that anyone actually did find an exploit,
> until f-strings made exploiting this trivial.
The person who wrote the bug report found at least one
way of exploiting it that doesn't require f-strings.
I agree that f-strings are not to blame here. If we really
want to avoid breaking anyone's ill-conceived attempts at
sandboxing eval, we'd better not add anything more to the
language, ever, because nobody can foresee all the possible
consequences.
--
Greg
More information about the Python-list
mailing list