when format strings attack
John Zenger
johnzenger at gmail.com
Fri Jan 19 13:43:53 EST 2007
Perhaps it is not as severe a security risk, but pure Python programs
can run into similar problems if they don't check user input for %
codes. Example:
>>> k = raw_input("Try to trick me: ")
Try to trick me: How about %s this?
>>> j = "User %s just entered: " + k
>>> print j % "John"
Traceback (most recent call last):
File "<pyshell#8>", line 1, in ?
print j % "John"
TypeError: not enough arguments for format string
On Jan 19, 10:44 am, "Gabriel Genellina" <gagsl... at yahoo.com.ar> wrote:
> <Eric_Dex... at msn.com> escribió en el mensajenews:1169207467.989977.162940 at q2g2000cwa.googlegroups.com...
>
> >http://www.ddj.com/184405774;jsessionid=BDDEMUGJOPXUMQSNDLQCKHSCJUNN2JVN
>
> > I saw a warning from homeland security about this. I only comment on
> > the because I am trying to use os.system('command1 arg') and it doesn't
> > work but I do see examples with % that is borrowed from the c language.
> > Seems like if I can write a batch file that does something the same
> > behavior should happen in the os module..Pure Python programs are not affected, but a review of the C implementation
> should be made to see if any (variant of) printf is used without a proper
> format. Anyway I doubt you could find something, because the vulnerability
> is so well known for ages.
>
> --
> Gabriel Genellina
More information about the Python-list
mailing list