Skip to content
Related Articles

Related Articles

Vulnerability in str.format() in Python

View Discussion
Improve Article
Save Article
  • Last Updated : 08 Jun, 2020

Prerequisites: Python – format() function

str.format() is one of the string formatting methods in Python3, which allows multiple substitutions and value formatting. This method lets us concatenate elements within a string through positional formatting. It seems quite a cool thing. But the vulnerability comes when our Python app uses str.format in the user-controlled string. This vulnerability may lead attackers to get access to sensitive information.

Note: This issue has been reported here
str format vulnerability

So how come this becomes a vulnerability. Let’s see the following example

Example:




# Let us assume this CONFIG holds some sensitive information
CONFIG = {
    "KEY": "ASXFYFGK78989"
}
  
class PeopleInfo:
    def __init__(self, fname, lname):
        self.fname = fname
        self.lname = lname
  
def get_name_for_avatar(avatar_str, people_obj):
    return avatar_str.format(people_obj = people_obj)
  
  
# Driver Code
people = PeopleInfo('GEEKS', 'FORGEEKS')
  
# case 1: st obtained from user
st = input()
get_name_for_avatar(st, people_obj = people)

Case 1:
when user gives the following str as input
Avatar_{people_obj.fname}_{people_obj.lname}
Output:
Avatar_GEEKS_FORGEEKS
Case 2:
when user inputs the following str as input
{people_obj.__init__.__globals__[CONFIG][KEY]}
Output:
ASXFYFGK78989
This is because string formatting functions could access attributes objects as well which could leak data. Now a question might arise. Is it bad to use str.format()?. No, but it becomes vulnerable when it is used over user-controlled strings.
My Personal Notes
arrow_drop_up
Previous
sympy.stats.Wald() in Python
Next

Important differences between Python 2.x and Python 3.x with examples
Recommended Articles
Page :
Vulnerability in input() function – Python 2.x
10, May 17
Important differences between Python 2.x and Python 3.x with examples
25, Feb 16
Python | Merge Python key values to list
31, Jul 19
Reading Python File-Like Objects from C | Python
06, Jun 19
Python | Add Logging to a Python Script
11, Jun 19
Python | Add Logging to Python Libraries
11, Jun 19
JavaScript vs Python : Can Python Overtop JavaScript by 2020?
12, Jun 19
Python | Visualizing O(n) using Python
17, Aug 19
Python | Index of Non-Zero elements in Python list
02, Sep 19
Python | Convert list to Python array
26, Sep 19
MySQL-Connector-Python module in Python
04, Mar 20
Python - Read blob object in python using wand library
21, Apr 20
Python | PRAW - Python Reddit API Wrapper
26, Apr 20
twitter-text-python (ttp) module - Python
28, May 20
Reusable piece of python functionality for wrapping arbitrary blocks of code : Python Context Managers
31, Jul 20
Python program to check if the list contains three consecutive common numbers in Python
13, Aug 20
Creating and updating PowerPoint Presentations in Python using python - pptx
15, Aug 20
Python Debugger – Python pdb
02, Jan 21
Filter Python list by Predicate in Python
16, Dec 21
Python: Iterating With Python Lambda
16, Dec 21
Python | Set 4 (Dictionary, Keywords in Python)
09, Feb 16
Python program to build flashcard using class in Python
03, Jan 21
GeeksforGeeks Python Foundation Course - Learn Python in Hindi!
28, Oct 21
Python | Sort Python Dictionaries by Key or Value
24, Jul 18
Article Contributed By :
https://media.geeksforgeeks.org/auth/avatar.png
Sowmya.L.R
@Sowmya.L.R
Vote for difficulty





Article Tags :
Practice Tags :
Report Issue

We use cookies to ensure you have the best browsing experience on our website. By using our site, you
acknowledge that you have read and understood our
Cookie Policy &
        Privacy Policy

Lightbox

Start Your Coding Journey Now!