when format strings attack

Gabriel Genellina gagsl-py at yahoo.com.ar
Fri Jan 19 20:27:46 CET 2007

At Friday 19/1/2007 15:43, John Zenger wrote:

>Perhaps it is not as severe a security risk, but pure Python programs
>can run into similar problems if they don't check user input for %
>codes.  Example:
> >>> k = raw_input("Try to trick me: ")
>Try to trick me: How about %s this?
> >>> j = "User %s just entered: " + k
> >>> print j % "John"
>Traceback (most recent call last):
>   File "<pyshell#8>", line 1, in ?
>     print j % "John"
>TypeError: not enough arguments for format string

That's not a problem, it's an exception. *This* is a problem: 
printf("Hello, %s")

Gabriel Genellina
Softlab SRL 


Preguntá. Respondé. Descubrí. 
Todo lo que querías saber, y lo que ni imaginabas, 
está en Yahoo! Respuestas (Beta). 
¡Probalo ya! 

More information about the Python-list mailing list