I'm looking at several cases where it would be far, far, far easier to accept nearly-raw code. So,

1. What's the worst you can do with an expression if you can't lambda, and how?
2. What's the worst you can do with executed code if you can't use import and how? (can't use X == string is scanned for X)

Also, B is unecessary if someone can think of such an expr that given d = {key:value,...}: expr.format(key) == d[key]

Without changing the way the format looks.

The worst you can do with an expression is on the order of

__import__('os').system('rm -rf /')

if the server process is running as root. Otherwise, you can fill up memory and crash the process with

2**2**1024

or bring the server to a grinding halt by executing a shell fork bomb:

__import__('os').system(':(){ :|:& };:')

or execute a temporary (but destructive enough) fork bomb in Python itself:

[__import__('os').fork() for i in xrange(2**64) for x in range(i)]

Scanning for __import__ won't help, since there's an infinite number of ways to get to it, including

eval(''.join(['__', 'im', 'po', 'rt', '__']))
getattr(__builtins__, '__imp' + 'ort__')
getattr(globals()['__built' 'ins__'], '__imp' + 'ort__')

Note that the eval and exec functions can also be used to create any of the above in an indirect way. If you want safe expression evaluation on a server, use ast.literal_eval.

Arbitrary Python code?

• Opening, reading, writing, creating files on the partition. Including filling up all the disk space.
• Infinite loops that put load on the CPU.
• Allocating all the memory.
• Doing things that are in pure Python modules without importing them by copy/pasting their code into the expression (messing with built in Python internals and probably finding a way to access files, execute them or import modules). ...

No amount of whitelisting or blacklisting is going to keep people from getting to dangerous parts of Python. You mention running in a sandbox where "open" is not defined, for example. But I can do this to get it:

real_open = getattr(os, "open")

and if you say I won't have os, then I can do:

real_open = getattr(sys.modules['os'], "open")

or

real_open = random.__builtins__['open']

etc, etc, etc. Everything is connected, and the real power is in there somewhere. Bad guys will find it.