Re: Evaluation of variable as f-string

Fri, 27 Jan 2023 16:50:48 -0800 

Am 23.01.23 um 19:02 schrieb Chris Angelico:


This is supposedly for security reasons. However, when trying to emulate
this behavior that I wanted (and know the security implications of), my
solutions will tend to be less secure. Here is what I have been thinking
about:


If you really want the full power of an f-string, then you're asking
for the full power of eval(),


Exactly.


and that means all the security
implications thereof,


Precisely, as I had stated myself.


not to mention the difficulties of namespacing.


Not an issue in my case.


Have you considered using the vanilla format() method instead?



Yes. It does not provide the functionality I want. Not even the utterly 
trivial example that I gave. To quote myself again, let's say I have an 
arbitrary dictionary x (with many nested data structures), I want an 
expression to be evaluated that can access any members in there.


x = { "y": "z" }
s = "-> {x['y']}"
print(s.format(x = x))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
KeyError: "'y'"


I also want to be able to say things like {'x' * 100}, which .format() 
also does not do.


In other words: I want the evaluation of a variable as an f-string.



But if you really REALLY know what you're doing, just use eval()
directly.



I do, actually, but I hate it. Not because of the security issue, not 
because of namespaces, but because it does not reliably work:


>>> s = "{\"x\" * 4}"
>>> eval("f'" + s + "'")
'xxxx'


As I mentioned, it depends on the exact quoting. Triple quotes only 
shift the problem. Actually replacing/escaping the relevant quotation 
marks is also not trivial.



I don't really see what you'd gain from an f-string. 


The full power of eval.


At very
least, work with a well-defined namespace and eval whatever you need
in that context.


That's what I'm doing.


Maybe, rather than asking for a way to treat a string as code, ask for
what you ACTUALLY need, and we can help?



I want to render data from a template using an easily understandable 
syntax (like an f-string), ideally using native Python. I want the 
template to make use of Python code constructs AND formatting (e.g. 
{x['time']['runtime']['seconds'] // 60:02d}).


Cheers,
Johannes
--
https://mail.python.org/mailman/listinfo/python-list























					Reply via email to