when format strings attack
Nick Maclaren
nmm1 at cus.cam.ac.uk
Fri Jan 19 11:19:08 EST 2007
In article <mailman.2908.1169221530.32031.python-list at python.org>,
"Gabriel Genellina" <gagsl-py at yahoo.com.ar> writes:
|> <Eric_Dexter at msn.com> escribió en el mensaje
|> news:1169207467.989977.162940 at q2g2000cwa.googlegroups.com...
|>
|> > http://www.ddj.com/184405774;jsessionid=BDDEMUGJOPXUMQSNDLQCKHSCJUNN2JVN
|> >
|> > I saw a warning from homeland security about this. I only comment on
|> > the because I am trying to use os.system('command1 arg') and it doesn't
|> > work but I do see examples with % that is borrowed from the c language.
|> > Seems like if I can write a batch file that does something the same
|> > behavior should happen in the os module..
|>
|> Pure Python programs are not affected, but a review of the C implementation
|> should be made to see if any (variant of) printf is used without a proper
|> format. Anyway I doubt you could find something, because the vulnerability
|> is so well known for ages.
Not really. There are LOTS of vulnerabilities that have been known
for ages and are still legion. The reason that this is unlikely is
that it is both easy to spot and trivial to fix.
Regards,
Nick Maclaren.
More information about the Python-list
mailing list