when format strings attack
Eric_Dexter at msn.com
Eric_Dexter at msn.com
Sat Jan 20 10:09:40 EST 2007
I will give the formatting a try. I noticed another formatting thing I
wasn't looking for. It is possible to have a \n at the end of a word
or at least that is how it is shown and fixed through python 2.5. I
had an error where 36\n isn't a number. easy to fix though.
Jeremy Sanders wrote:
> Steven D'Aprano wrote:
>
> > os.system('dir -l %s' % 'text.txt')
> >
> >
> > Now, there is a security risk: you might set command1 yourself, and
> > allow the user to set args. If command1 is an external application
> > with a security hole, and the user provides arguments that trigger that
> > bug, then naturally your application will inherit whatever security
> > vulnerabilities the external application suffers from. No surprises there.
>
> There are also big risks like this
>
> filename = 'foo; rm importantfile'
> cmd = 'ls %s' % filename
> os.system(cmd)
>
> oops!
>
> --
> Jeremy Sanders
> http://www.jeremysanders.net/
More information about the Python-list
mailing list