Open In App
Related Articles

Vulnerability in str.format() in Python

Improve Article
Save Article
Like Article

Prerequisites: Python – format() function

str.format() is one of the string formatting methods in Python3, which allows multiple substitutions and value formatting. This method lets us concatenate elements within a string through positional formatting. It seems quite a cool thing. But the vulnerability comes when our Python app uses str.format in the user-controlled string. This vulnerability may lead attackers to get access to sensitive information.

Note: This issue has been reported here
str format vulnerability

So how come this becomes a vulnerability. Let’s see the following example


# Let us assume this CONFIG holds some sensitive information
    "KEY": "ASXFYFGK78989"
class PeopleInfo:
    def __init__(self, fname, lname):
        self.fname = fname
        self.lname = lname
def get_name_for_avatar(avatar_str, people_obj):
    return avatar_str.format(people_obj = people_obj)
# Driver Code
people = PeopleInfo('GEEKS', 'FORGEEKS')
# case 1: st obtained from user
st = input()
get_name_for_avatar(st, people_obj = people)

Case 1:
when user gives the following str as input




Case 2:
when user inputs the following str as input




This is because string formatting functions could access attributes objects as well which could leak data. Now a question might arise. Is it bad to use str.format()?. No, but it becomes vulnerable when it is used over user-controlled strings.

Whether you're preparing for your first job interview or aiming to upskill in this ever-evolving tech landscape, GeeksforGeeks Courses are your key to success. We provide top-quality content at affordable prices, all geared towards accelerating your growth in a time-bound manner. Join the millions we've already empowered, and we're here to do the same for you. Don't miss out - check it out now!

Last Updated : 08 Jun, 2020
Like Article
Save Article
Similar Reads
Complete Tutorials