when format strings attack
Steven D'Aprano
steve at REMOVE.THIS.cybersource.com.au
Fri Jan 19 14:30:21 EST 2007
On Fri, 19 Jan 2007 10:43:53 -0800, John Zenger wrote:
> Perhaps it is not as severe a security risk, but pure Python programs
> can run into similar problems if they don't check user input for %
> codes.
Please don't top-post.
A: Because it messes up the order that we read things.
Q: Why?
A: Top-posting.
Q: What is the most annoying newsgroup habit?
> Example:
>
>>>> k = raw_input("Try to trick me: ")
> Try to trick me: How about %s this?
>>>> j = "User %s just entered: " + k
>>>> print j % "John"
> Traceback (most recent call last):
> File "<pyshell#8>", line 1, in ?
> print j % "John"
> TypeError: not enough arguments for format string
That's hardly the same sort of vulnerability the article was talking
about, but it is a potential bug waiting to bite.
In a serious application, you should keep user-inputted strings separate
from application strings, and never use user strings unless they've been
made safe. See Joel Spolsky's excellent article about one way of doing
that:
http://www.joelonsoftware.com/articles/Wrong.html
--
Steven.
More information about the Python-list
mailing list