when format strings attack

[Jeremy Sanders]

Steven D'Aprano wrote:
 
> os.system('dir -l %s' % 'text.txt')
> 
> 
> Now, there is a security risk: you might set command1 yourself, and
> allow the user to set args. If command1 is an external application
> with a security hole, and the user provides arguments that trigger that
> bug, then naturally your application will inherit whatever security
> vulnerabilities the external application suffers from. No surprises there.

There are also big risks like this

filename = 'foo; rm importantfile'
cmd = 'ls %s' % filename
os.system(cmd)

oops!

-- 
Jeremy Sanders
http://www.jeremysanders.net/