Backend Development
Python Tutorial
Analysis of Python's new string format vulnerabilities and solutions
Analysis of Python's new string format vulnerabilities and solutions
Recently a python string formatting vulnerability caught my attention. Today I will talk about the security vulnerability of a new syntax for formatting strings introduced by Python. I conducted an in-depth analysis and provided corresponding security measures. solution.
When we use str.format for untrusted user input, it will bring security risks - I have actually known about this problem for a long time, but I didn't really realize it until today severity. Because attackers can use it to bypass the Jinja2 sandbox, this will cause serious information leakage problems. In the meantime, I provide a new safe version of str.format at the end of this article.
It should be reminded that this is a quite serious security risk. The reason why I write an article here is because most people probably don’t know how easy it is to be exploited.
Core Issue
Starting from Python 2.6, Python has introduced a new syntax for formatting strings inspired by .NET. Of course, in addition to Python, Rust and some other programming languages also support this syntax. With the help of the .format() method, this syntax can be applied to both byte and unicode strings (in Python 3, only unicode strings), and it can also be mapped to more customizable strings. Formatter API.
A feature of this syntax is that it allows one to determine the positional and keyword parameters of the string format and to explicitly reorder the data items at any time. Furthermore, it can even access the object's properties and data items - which is the root cause of the security issue here.
Overall, one can use this to do the following things:
>>> 'class of {0} is {0.__class__}'.format(42)
"class of 42 is "Essentially, anyone with control over the format string has the potential to access various internal properties of the object.
where is the problem?
The first question is, how to control the format string. You can start from the following places:
1. Untrusted translator in string file. We're likely to get away with them, because many applications translated into multiple languages use this new Python string formatting method, but not everyone will perform a thorough review of all strings entered.
2. User exposed configuration. Because some system users can configure certain behaviors, these configurations may be exposed in the form of format strings. As a special note, I have seen some users configure notification emails, log message formats, or other basic templates through the web application.
Danger level
If you just pass the C interpreter object to the format string, there will not be much danger, because in this case, you will expose some integer classes at most. s things.
However, once a Python object is passed to this format string, it becomes troublesome. This is because the amount of stuff that can be exposed from Python functions is pretty staggering. Here is the scenario of a hypothetical web application that could leak the key:
CONFIG = {
'SECRET_KEY': 'super secret key'
}
class Event(object):
def __init__(self, id, level, message):
self.id = id
self.level = level
self.message = message
def format_event(format_string, event):
return format_string.format(event=event)If the user can inject the format_string here, then they can discover the secret characters like this String:
{event.__init__.__globals__[CONFIG][SECRET_KEY]}Sandbox formatting
So, what should you do if you need to let others provide the formatting string? In fact, some undocumented internal mechanisms can be used to change the string formatting behavior.
from string import Formatter
from collections import Mapping
class MagicFormatMapping(Mapping):
"""This class implements a dummy wrapper to fix a bug in the Python
standard library for string formatting.
See http://bugs.python.org/issue13598 for information about why
this is necessary.
"""
def __init__(self, args, kwargs):
self._args = args
self._kwargs = kwargs
self._last_index = 0
def __getitem__(self, key):
if key == '':
idx = self._last_index
self._last_index += 1
try:
return self._args[idx]
except LookupError:
pass
key = str(idx)
return self._kwargs[key]
def __iter__(self):
return iter(self._kwargs)
def __len__(self):
return len(self._kwargs)
# This is a necessary API but it's undocumented and moved around
# between Python releases
try:
from _string import formatter_field_name_split
except ImportError:
formatter_field_name_split = lambda \
x: x._formatter_field_name_split()
{C}
class SafeFormatter(Formatter):
def get_field(self, field_name, args, kwargs):
first, rest = formatter_field_name_split(field_name)
obj = self.get_value(first, args, kwargs)
for is_attr, i in rest:
if is_attr:
obj = safe_getattr(obj, i)
else:
obj = obj[i]
return obj, first
def safe_getattr(obj, attr):
# Expand the logic here. For instance on 2.x you will also need
# to disallow func_globals, on 3.x you will also need to hide
# things like cr_frame and others. So ideally have a list of
# objects that are entirely unsafe to access.
if attr[:1] == '_':
raise AttributeError(attr)
return getattr(obj, attr)
def safe_format(_string, *args, **kwargs):
formatter = SafeFormatter()
kwargs = MagicFormatMapping(args, kwargs)
return formatter.vformat(_string, args, kwargs)Now, we can use the safe_format method to replace str.format:
>>> '{0.__class__}'.format(42)
""
>>> safe_format('{0.__class__}', 42)
Traceback (most recent call last):
File "", line 1, in
AttributeError: __class__Summary:
There is such a saying in program development: Do not trust the user at any time input of! Now it seems that this sentence makes perfect sense. So students, please keep this in mind!
The above is the detailed content of Analysis of Python's new string format vulnerabilities and solutions. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1382
52
PHP and Python: Code Examples and Comparison
Apr 15, 2025 am 12:07 AM
PHP and Python have their own advantages and disadvantages, and the choice depends on project needs and personal preferences. 1.PHP is suitable for rapid development and maintenance of large-scale web applications. 2. Python dominates the field of data science and machine learning.
How is the GPU support for PyTorch on CentOS
Apr 14, 2025 pm 06:48 PM
Enable PyTorch GPU acceleration on CentOS system requires the installation of CUDA, cuDNN and GPU versions of PyTorch. The following steps will guide you through the process: CUDA and cuDNN installation determine CUDA version compatibility: Use the nvidia-smi command to view the CUDA version supported by your NVIDIA graphics card. For example, your MX450 graphics card may support CUDA11.1 or higher. Download and install CUDAToolkit: Visit the official website of NVIDIACUDAToolkit and download and install the corresponding version according to the highest CUDA version supported by your graphics card. Install cuDNN library:
Detailed explanation of docker principle
Apr 14, 2025 pm 11:57 PM
Docker uses Linux kernel features to provide an efficient and isolated application running environment. Its working principle is as follows: 1. The mirror is used as a read-only template, which contains everything you need to run the application; 2. The Union File System (UnionFS) stacks multiple file systems, only storing the differences, saving space and speeding up; 3. The daemon manages the mirrors and containers, and the client uses them for interaction; 4. Namespaces and cgroups implement container isolation and resource limitations; 5. Multiple network modes support container interconnection. Only by understanding these core concepts can you better utilize Docker.
Python vs. JavaScript: Community, Libraries, and Resources
Apr 15, 2025 am 12:16 AM
Python and JavaScript have their own advantages and disadvantages in terms of community, libraries and resources. 1) The Python community is friendly and suitable for beginners, but the front-end development resources are not as rich as JavaScript. 2) Python is powerful in data science and machine learning libraries, while JavaScript is better in front-end development libraries and frameworks. 3) Both have rich learning resources, but Python is suitable for starting with official documents, while JavaScript is better with MDNWebDocs. The choice should be based on project needs and personal interests.
MiniOpen Centos compatibility
Apr 14, 2025 pm 05:45 PM
MinIO Object Storage: High-performance deployment under CentOS system MinIO is a high-performance, distributed object storage system developed based on the Go language, compatible with AmazonS3. It supports a variety of client languages, including Java, Python, JavaScript, and Go. This article will briefly introduce the installation and compatibility of MinIO on CentOS systems. CentOS version compatibility MinIO has been verified on multiple CentOS versions, including but not limited to: CentOS7.9: Provides a complete installation guide covering cluster configuration, environment preparation, configuration file settings, disk partitioning, and MinI
How to operate distributed training of PyTorch on CentOS
Apr 14, 2025 pm 06:36 PM
PyTorch distributed training on CentOS system requires the following steps: PyTorch installation: The premise is that Python and pip are installed in CentOS system. Depending on your CUDA version, get the appropriate installation command from the PyTorch official website. For CPU-only training, you can use the following command: pipinstalltorchtorchvisiontorchaudio If you need GPU support, make sure that the corresponding version of CUDA and cuDNN are installed and use the corresponding PyTorch version for installation. Distributed environment configuration: Distributed training usually requires multiple machines or single-machine multiple GPUs. Place
How to choose the PyTorch version on CentOS
Apr 14, 2025 pm 06:51 PM
When installing PyTorch on CentOS system, you need to carefully select the appropriate version and consider the following key factors: 1. System environment compatibility: Operating system: It is recommended to use CentOS7 or higher. CUDA and cuDNN:PyTorch version and CUDA version are closely related. For example, PyTorch1.9.0 requires CUDA11.1, while PyTorch2.0.1 requires CUDA11.3. The cuDNN version must also match the CUDA version. Before selecting the PyTorch version, be sure to confirm that compatible CUDA and cuDNN versions have been installed. Python version: PyTorch official branch
How to install nginx in centos
Apr 14, 2025 pm 08:06 PM
CentOS Installing Nginx requires following the following steps: Installing dependencies such as development tools, pcre-devel, and openssl-devel. Download the Nginx source code package, unzip it and compile and install it, and specify the installation path as /usr/local/nginx. Create Nginx users and user groups and set permissions. Modify the configuration file nginx.conf, and configure the listening port and domain name/IP address. Start the Nginx service. Common errors need to be paid attention to, such as dependency issues, port conflicts, and configuration file errors. Performance optimization needs to be adjusted according to the specific situation, such as turning on cache and adjusting the number of worker processes.
