bpo-28307: Optimize C-style formatting of numbers by serhiy-storchaka · Pull Request #26160 · python/cpython (original) (raw)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test case(s) that include other % formatting directives within the value would be good.

We want to make sure injection attacks don't exist if this happened to get implemented in the wrong serialized actions manner.

untrusted = '%% %s'
value = 'foo %s bar' % untrusted

results in value == 'foo %% %s bar' rather than raising an exception about tuple size or converting %% into %.

This might make a good test of its own rather than shoehorning it into this one given some complexities of where % directives that'll be peepholed can appear in strings and in combination with others that may or may not be.