Analysis of Python's new string format vulnerabilities and solutions-Python Tutorial-php.cn

Home

Backend Development

Python Tutorial

Analysis of Python's new string format vulnerabilities and solutions

巴扎黑

Aug 16, 2017 pm 01:47 PM

pythonstringloopholes

Recently a python string formatting vulnerability caught my attention. Today I will talk about the security vulnerability of a new syntax for formatting strings introduced by Python. I conducted an in-depth analysis and provided corresponding security measures. solution.

When we use str.format for untrusted user input, it will bring security risks - I have actually known about this problem for a long time, but I didn't really realize it until today severity. Because attackers can use it to bypass the Jinja2 sandbox, this will cause serious information leakage problems. In the meantime, I provide a new safe version of str.format at the end of this article.

It should be reminded that this is a quite serious security risk. The reason why I write an article here is because most people probably don’t know how easy it is to be exploited.

Core Issue

Starting from Python 2.6, Python has introduced a new syntax for formatting strings inspired by .NET. Of course, in addition to Python, Rust and some other programming languages also support this syntax. With the help of the .format() method, this syntax can be applied to both byte and unicode strings (in Python 3, only unicode strings), and it can also be mapped to more customizable strings. Formatter API.

A feature of this syntax is that it allows one to determine the positional and keyword parameters of the string format and to explicitly reorder the data items at any time. Furthermore, it can even access the object's properties and data items - which is the root cause of the security issue here.

Overall, one can use this to do the following things:

>>> &#39;class of {0} is {0.__class__}&#39;.format(42)
"class of 42 is "

Essentially, anyone with control over the format string has the potential to access various internal properties of the object.

where is the problem?

The first question is, how to control the format string. You can start from the following places:

1. Untrusted translator in string file. We're likely to get away with them, because many applications translated into multiple languages use this new Python string formatting method, but not everyone will perform a thorough review of all strings entered.

2. User exposed configuration. Because some system users can configure certain behaviors, these configurations may be exposed in the form of format strings. As a special note, I have seen some users configure notification emails, log message formats, or other basic templates through the web application.

Danger level

If you just pass the C interpreter object to the format string, there will not be much danger, because in this case, you will expose some integer classes at most. s things.

However, once a Python object is passed to this format string, it becomes troublesome. This is because the amount of stuff that can be exposed from Python functions is pretty staggering. Here is the scenario of a hypothetical web application that could leak the key:

CONFIG = {
    &#39;SECRET_KEY&#39;: &#39;super secret key&#39;
}
 
class Event(object):
    def __init__(self, id, level, message):
        self.id = id
        self.level = level
        self.message = message
 
def format_event(format_string, event):
    return format_string.format(event=event)

If the user can inject the format_string here, then they can discover the secret characters like this String:

{event.__init__.__globals__[CONFIG][SECRET_KEY]}

Sandbox formatting

So, what should you do if you need to let others provide the formatting string? In fact, some undocumented internal mechanisms can be used to change the string formatting behavior.

from string import Formatter
from collections import Mapping
 
class MagicFormatMapping(Mapping):
    """This class implements a dummy wrapper to fix a bug in the Python
    standard library for string formatting.
 
    See http://bugs.python.org/issue13598 for information about why
    this is necessary.
    """
 
    def __init__(self, args, kwargs):
        self._args = args
        self._kwargs = kwargs
        self._last_index = 0
 
    def __getitem__(self, key):
        if key == &#39;&#39;:
            idx = self._last_index
            self._last_index += 1
            try:
                return self._args[idx]
            except LookupError:
                pass
            key = str(idx)
        return self._kwargs[key]
 
    def __iter__(self):
        return iter(self._kwargs)
 
    def __len__(self):
        return len(self._kwargs)
 
# This is a necessary API but it&#39;s undocumented and moved around
# between Python releases
try:
    from _string import formatter_field_name_split
except ImportError:
    formatter_field_name_split = lambda \
        x: x._formatter_field_name_split()
{C} 
class SafeFormatter(Formatter):
 
    def get_field(self, field_name, args, kwargs):
        first, rest = formatter_field_name_split(field_name)
        obj = self.get_value(first, args, kwargs)
        for is_attr, i in rest:
            if is_attr:
                obj = safe_getattr(obj, i)
            else:
                obj = obj[i]
        return obj, first
 
def safe_getattr(obj, attr):
    # Expand the logic here.  For instance on 2.x you will also need
    # to disallow func_globals, on 3.x you will also need to hide
    # things like cr_frame and others.  So ideally have a list of
    # objects that are entirely unsafe to access.
    if attr[:1] == &#39;_&#39;:
        raise AttributeError(attr)
    return getattr(obj, attr)
 
def safe_format(_string, *args, **kwargs):
    formatter = SafeFormatter()
    kwargs = MagicFormatMapping(args, kwargs)
    return formatter.vformat(_string, args, kwargs)

Now, we can use the safe_format method to replace str.format:

>>> &#39;{0.__class__}&#39;.format(42)
""
>>> safe_format(&#39;{0.__class__}&#39;, 42)
Traceback (most recent call last):
  File "", line 1, in
AttributeError: __class__

Summary:

There is such a saying in program development: Do not trust the user at any time input of! Now it seems that this sentence makes perfect sense. So students, please keep this in mind!

The above is the detailed content of Analysis of Python's new string format vulnerabilities and solutions. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Python and Time: Making the Most of Your Study TimeApr 14, 2025 am 12:02 AM

To maximize the efficiency of learning Python in a limited time, you can use Python's datetime, time, and schedule modules. 1. The datetime module is used to record and plan learning time. 2. The time module helps to set study and rest time. 3. The schedule module automatically arranges weekly learning tasks.

Python: Games, GUIs, and MoreApr 13, 2025 am 12:14 AM

Python excels in gaming and GUI development. 1) Game development uses Pygame, providing drawing, audio and other functions, which are suitable for creating 2D games. 2) GUI development can choose Tkinter or PyQt. Tkinter is simple and easy to use, PyQt has rich functions and is suitable for professional development.

Python vs. C : Applications and Use Cases ComparedApr 12, 2025 am 12:01 AM

Python is suitable for data science, web development and automation tasks, while C is suitable for system programming, game development and embedded systems. Python is known for its simplicity and powerful ecosystem, while C is known for its high performance and underlying control capabilities.

The 2-Hour Python Plan: A Realistic ApproachApr 11, 2025 am 12:04 AM

You can learn basic programming concepts and skills of Python within 2 hours. 1. Learn variables and data types, 2. Master control flow (conditional statements and loops), 3. Understand the definition and use of functions, 4. Quickly get started with Python programming through simple examples and code snippets.

Python: Exploring Its Primary ApplicationsApr 10, 2025 am 09:41 AM

Python is widely used in the fields of web development, data science, machine learning, automation and scripting. 1) In web development, Django and Flask frameworks simplify the development process. 2) In the fields of data science and machine learning, NumPy, Pandas, Scikit-learn and TensorFlow libraries provide strong support. 3) In terms of automation and scripting, Python is suitable for tasks such as automated testing and system management.

How Much Python Can You Learn in 2 Hours?Apr 09, 2025 pm 04:33 PM

You can learn the basics of Python within two hours. 1. Learn variables and data types, 2. Master control structures such as if statements and loops, 3. Understand the definition and use of functions. These will help you start writing simple Python programs.

How to teach computer novice programming basics in project and problem-driven methods within 10 hours?Apr 02, 2025 am 07:18 AM

How to teach computer novice programming basics within 10 hours? If you only have 10 hours to teach computer novice some programming knowledge, what would you choose to teach...

How to avoid being detected by the browser when using Fiddler Everywhere for man-in-the-middle reading?Apr 02, 2025 am 07:15 AM

How to avoid being detected when using FiddlerEverywhere for man-in-the-middle readings When you use FiddlerEverywhere...

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Best Graphic Settings

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Assassin's Creed Shadows: Seashell Riddle Solution

2 weeks agoByDDD

R.E.P.O. How to Fix Audio if You Can't Hear Anyone

4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

WWE 2K25: How To Unlock Everything In MyRise

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

MantisBT

Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

Atom editor mac version download

The most popular open source editor

SublimeText3 Linux new version

SublimeText3 Linux latest version

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software

mPDF

mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

Hot Topics

Where is the login entrance for gmail email?

7500

CakePHP Tutorial

1377

What is the format of the account name of steam

win11 activation key permanent

nyt connections hints and answers