Christian Heimes added the comment: Argh, sorry. I meant to write "The gettext module might be vulnerable to more than f-string attacks.".
May I suggest that you have a look at my old patch? It uses an AST visitor to inspect the AST of a gettext plural expression. It allows only a limited set of AST types as well as limited amount of expressions. I consider it a superior solution and a fix for more generic attacks. I haven't tested my patch with f-strings yet. It either refuses f-strings FormattedValue already or can be easily modified to reject it. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue28563> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
