First security bug related to f-strings
Steve D'Aprano
steve+python at pearwood.info
Sat Nov 5 13:12:07 EDT 2016
Well, that didn't take very long at all.
Here's the first security bug which is related to the new (and badly
misnamed) f-string feature:
http://bugs.python.org/issue28563
Note what I'm not saying: I'm not saying that the bug is *caused* by
f-strings. It is not. The bug is actually caused by the inappropriate use
of eval. But the worrying thing here is:
Bonus: With the new string interpolation in Python 3.7, exploiting
gettext.c2py becomes trivial:
gettext.c2py('f"{os.system(\'sh\')}"')(0)
The tokenizer will recognize the entire format-string as just a string,
thus bypassing the security checks.
Yay for hiding arbitrary code evaluation inside something that pretends to
be a string!
My guess is that there is probably more code out there in the wild which is
vulnerable to code injection attacks thanks to the use of eval or exec, but
its been too hard to exploit up until now. But with f-strings, chances are
that they too will be trivially exploitable.
--
Steve
“Cheer up,” they said, “things could be worse.” So I cheered up, and sure
enough, things got worse.
More information about the Python-list
mailing list