STINNER Victor <vstin...@python.org> added the comment:
> FWIW I found another place where a similar thing is done, though by chance > it's probably not exploitable - see GH-22575. I agree that test_ucn is not exploitable, but it would be nice to harden it anyway. Extract of the code: self.assertEqual(unicodedata.lookup(seqname), codepoints) with self.assertRaises(SyntaxError): self.checkletter(seqname, None) test_ucn downloads http://www.pythontest.net/unicode/13.0.0/NamedSequences.txt and calls checkletter() on each line, but first it ensures that unicodedata.lookup(seqname) works as expected. I don't see how it would be possible to inject arbitrary Python code in the 'seqname' variable without making unicodedata.lookup() to fail. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue41944> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com