Loop through a dict changing keys

Steven D'Aprano steve+comp.lang.python at pearwood.info
Sun Oct 16 19:25:48 EDT 2011


On Sun, 16 Oct 2011 11:20:49 -0700, Gnarlodious wrote:

> On Oct 15, 5:53 pm, PoD <p... at internode.on.net> wrote:
> 
>> data = {
>>     'Mobile': 'string',
>>     'context': '<malicious code>',
>>     'order': '7',
>>     'time': 'True'}
>> types={'Mobile':str,'context':str,'order':int,'time':bool}
>>
>> for k,v in data.items():
>>     data[k] = types[k](v)
> 
> Thanks for the tip, I didn't know you could do that. I ended up
> filtering the values the bulky way, 

What is "the bulky way"?

> but it gives me total control over
> what internet users feed my program.

Why does this not fill me with confidence?

As Jon Clements has already spotted a major bug in the above: using bool 
as shown is not correct. Furthermore, converting '<malicious code>' into 
a string does nothing, since it is already a string.

Gnarlodious, it is good that you are concerned about code injection 
attacks, but defending against them is not simple or easy. I don't intend 
to sound condescending, but when your response to being shown a simple 
filter that maps keys to types is to say "I didn't know you could do 
that", that's a good warning that your Python experience may not be quite 
up to the job of out-guessing the sort of obscure tricks hostile 
attackers may use.

If you think that defending against malicious code is simple, you should 
read this blob post:

http://tav.espians.com/a-challenge-to-break-python-security.html

and the thread which inspired it:

http://mail.python.org/pipermail/python-dev/2009-February/086401.html


How do you sanitize user input?


-- 
Steven



More information about the Python-list mailing list