Carl Ekerot added the comment:
Looks good to me. It behaves as intended on every input I can think of.
--
___
Python tracker
<http://bugs.python.org/issue28
Carl Ekerot added the comment:
Judging by the code, this seems to be a much more rigid implementation. I've
only run the unit tests and some variations of my initial examples, and
everything seems to work as intended. Will look at it more closely this
afternoon.
One thing that caug
Carl Ekerot added the comment:
> The gettext module might be vulnerable to f-string attacks
It is. See the example in the first comment:
gettext.c2py('f"{os.system(\'sh\')}"')(0)
This vulnerability seems to be solved in Xiang's patch. The DoS aspect is
Carl Ekerot added the comment:
Verified gettext.c2py with gettext_c2py.patch applied agains the plural forms
actually used in localization, listed over at
http://docs.translatehouse.org/projects/localization-guide/en/latest/l10n/pluralforms.html.
I tested all of the none-trivial forms, and
Carl Ekerot added the comment:
It doesn't solve the case when an identifier or number is used as a function:
>>> import os
>>> gettext.c2py("n()")(lambda: os.system("sh"))
$
0
>>> gettext.c2py("1()")(0)
Tracebac
New submission from Carl Ekerot:
The c2py-function in the gettext module is seriously flawed in many ways due
to its use of eval to create a plural function:
return eval('lambda n: int(%s)' % plural)
My first discovery was that nothing prevents an input plural string that
r