undefined | Better HN

0 pointsbcoates11mo ago0 comments

No, it's exactly the opposite--f-strings are, roughly, eval (that is, unsanitary string concatenation that is presumptively an error in any nontrivial use) to t-strings which are just an alternative expression syntax, and do not even dereference their arguments.

0 comments

rowanG07711mo ago

f-strings are not eval. It's not dynamic. It's simply an expression that is ran just like every other expression.

bcoatesOP11mo ago

Right, and then if you do literally anything with the output other than print() to a tty, it’s an escaping/injection attack.

any_func(f"{attacker_provided}") <=> eval(attacker_provided), from a security/correctness perspective

rowanG07711mo ago

Shooting any unsanitized input into your application is bad. template strings don't make this worse. any_func(attacker_provided) is even worse then any_func(t"{attacker_provided}") since in the later case you actually have reduced the attack surface to just strings.

saagarjha11mo ago

How is this any different from any_func(attacker_provided)

j / k navigate · click thread line to collapse

0 pointsbcoates11mo ago0 comments

0 comments

rowanG07711mo ago

f-strings are not eval. It's not dynamic. It's simply an expression that is ran just like every other expression.

bcoatesOP11mo ago

Right, and then if you do literally anything with the output other than print() to a tty, it’s an escaping/injection attack.

any_func(f"{attacker_provided}") <=> eval(attacker_provided), from a security/correctness perspective

rowanG07711mo ago

saagarjha11mo ago

How is this any different from any_func(attacker_provided)

j / k navigate · click thread line to collapse