when format strings attack

Steven D'Aprano steve at REMOVE.THIS.cybersource.com.au
Fri Jan 19 20:30:21 CET 2007


On Fri, 19 Jan 2007 10:43:53 -0800, John Zenger wrote:

> Perhaps it is not as severe a security risk, but pure Python programs
> can run into similar problems if they don't check user input for %
> codes.

Please don't top-post.

A: Because it messes up the order that we read things.
Q: Why?
A: Top-posting.
Q: What is the most annoying newsgroup habit?


> Example:
> 
>>>> k = raw_input("Try to trick me: ")
> Try to trick me: How about %s this?
>>>> j = "User %s just entered: " + k
>>>> print j % "John"
> Traceback (most recent call last):
>   File "<pyshell#8>", line 1, in ?
>     print j % "John"
> TypeError: not enough arguments for format string

That's hardly the same sort of vulnerability the article was talking
about, but it is a potential bug waiting to bite.

In a serious application, you should keep user-inputted strings separate
from application strings, and never use user strings unless they've been
made safe. See Joel Spolsky's excellent article about one way of doing
that:

http://www.joelonsoftware.com/articles/Wrong.html



-- 
Steven.




More information about the Python-list mailing list