Vulnerability in str.format() in Python
Prerequisites: Python – format() function
str.format() is one of the string formatting methods in Python3, which allows multiple substitutions and value formatting. This method lets us concatenate elements within a string through positional formatting. It seems quite a cool thing. But the vulnerability comes when our Python app uses str.format in the user-controlled string. This vulnerability may lead attackers to get access to sensitive information.
Note: This issue has been reported here
str format vulnerability
So how come this becomes a vulnerability. Let’s see the following example
when user gives the following str as input
when user inputs the following str as input
This is because string formatting functions could access attributes objects as well which could leak data. Now a question might arise. Is it bad to use str.format()?. No, but it becomes vulnerable when it is used over user-controlled strings.