Skip to content
Related Articles

Related Articles

Improve Article
Vulnerability in str.format() in Python
  • Last Updated : 08 Jun, 2020

Prerequisites: Python – format() function

str.format() is one of the string formatting methods in Python3, which allows multiple substitutions and value formatting. This method lets us concatenate elements within a string through positional formatting. It seems quite a cool thing. But the vulnerability comes when our Python app uses str.format in the user-controlled string. This vulnerability may lead attackers to get access to sensitive information.

Note: This issue has been reported here
str format vulnerability

So how come this becomes a vulnerability. Let’s see the following example

Example:






# Let us assume this CONFIG holds some sensitive information
CONFIG = {
    "KEY": "ASXFYFGK78989"
}
  
class PeopleInfo:
    def __init__(self, fname, lname):
        self.fname = fname
        self.lname = lname
  
def get_name_for_avatar(avatar_str, people_obj):
    return avatar_str.format(people_obj = people_obj)
  
  
# Driver Code
people = PeopleInfo('GEEKS', 'FORGEEKS')
  
# case 1: st obtained from user
st = input()
get_name_for_avatar(st, people_obj = people)
Case 1:
when user gives the following str as input
Avatar_{people_obj.fname}_{people_obj.lname}
Output:
Avatar_GEEKS_FORGEEKS
Case 2:
when user inputs the following str as input
{people_obj.__init__.__globals__[CONFIG][KEY]}
Output:
ASXFYFGK78989
This is because string formatting functions could access attributes objects as well which could leak data. Now a question might arise. Is it bad to use str.format()?. No, but it becomes vulnerable when it is used over user-controlled strings.
 Attention geek! Strengthen your foundations with the Python Programming Foundation Course and learn the basics.  
To begin with, your interview preparations Enhance your Data Structures concepts with the Python DS Course. And to begin with your Machine Learning Journey, join the Machine Learning – Basic Level Course
My Personal Notes
arrow_drop_up
Previous
sympy.stats.Wald() in Python
Next

Important differences between Python 2.x and Python 3.x with examples
Recommended Articles
Page :
Vulnerability in input() function – Python 2.x
10, May 17
Python | Set 4 (Dictionary, Keywords in Python)
09, Feb 16
Python program to build flashcard using class in Python
03, Jan 21
Python | Sort Python Dictionaries by Key or Value
24, Jul 18
Python | Merge Python key values to list
31, Jul 19
Reading Python File-Like Objects from C | Python
06, Jun 19
Python | Add Logging to a Python Script
11, Jun 19
Python | Add Logging to Python Libraries
11, Jun 19
JavaScript vs Python : Can Python Overtop JavaScript by 2020?
12, Jun 19
Python | Visualizing O(n) using Python
17, Aug 19
Python | Index of Non-Zero elements in Python list
02, Sep 19
Python | Convert list to Python array
26, Sep 19
MySQL-Connector-Python module in Python
04, Mar 20
Python - Read blob object in python using wand library
21, Apr 20
Python | PRAW - Python Reddit API Wrapper
26, Apr 20
twitter-text-python (ttp) module - Python
28, May 20
Reusable piece of python functionality for wrapping arbitrary blocks of code : Python Context Managers
31, Jul 20
Python program to check if the list contains three consecutive common numbers in Python
13, Aug 20
Creating and updating PowerPoint Presentations in Python using python - pptx
15, Aug 20
Python Debugger – Python pdb
02, Jan 21
Important differences between Python 2.x and Python 3.x with examples
25, Feb 16
How to write an empty function in Python - pass statement?
04, May 16
Python – The new generation Language
14, Oct 15
Python List Comprehension and Slicing
10, Feb 16
Article Contributed By :
https://media.geeksforgeeks.org/auth/avatar.png
Sowmya.L.R
@Sowmya.L.R
Vote for difficulty





Article Tags :
Report Issue

We use cookies to ensure you have the best browsing experience on our website. By using our site, you
acknowledge that you have read and understood our
Cookie Policy &
        Privacy Policy

Lightbox