There are two ways I can think of to format strings in Python where user input may make its way into the format string input:
>>> a = input()
>>> print(a % ())
>>> a = input()
>>> print(a.format())
I understand that in both of the above scenarios, it may be possible to leak secrets (https://security.stackexchange.com/a/239661/107521) given the formatter gets passed an object containing a secret (e.g. '%(token)s' % config
or '{config.token}'.format(config=config)
).
My question is: are there any security implications of these format string injection bugs in Python that when no object is passed to the formatter, e.g. as shown in the first two example code blocks? Is it possible to output an object from globals etc?