when format strings attack

Steven D'Aprano steve at REMOVE.THIS.cybersource.com.au
Fri Jan 19 20:30:21 CET 2007

On Fri, 19 Jan 2007 10:43:53 -0800, John Zenger wrote:

> Perhaps it is not as severe a security risk, but pure Python programs
> can run into similar problems if they don't check user input for %
> codes.

Please don't top-post.

A: Because it messes up the order that we read things.
Q: Why?
A: Top-posting.
Q: What is the most annoying newsgroup habit?

> Example:
>>>> k = raw_input("Try to trick me: ")
> Try to trick me: How about %s this?
>>>> j = "User %s just entered: " + k
>>>> print j % "John"
> Traceback (most recent call last):
>   File "<pyshell#8>", line 1, in ?
>     print j % "John"
> TypeError: not enough arguments for format string

That's hardly the same sort of vulnerability the article was talking
about, but it is a potential bug waiting to bite.

In a serious application, you should keep user-inputted strings separate
from application strings, and never use user strings unless they've been
made safe. See Joel Spolsky's excellent article about one way of doing



More information about the Python-list mailing list