Perhaps it is not as severe a security risk, but pure Python programs
can run into similar problems if they don't check user input for %
codes. Example:
>>> k = raw_input("Try to trick me: ")
Try to trick me: How about %s this?
>>> j = "User %s just entered: " + k
>>> print j % "John"
Traceback (most recent call last):
File "<pyshell#8>", line 1, in ?
print j % "John"
TypeError: not enough arguments for format string
On Jan 19, 10:44 am, "Gabriel Genellina" <[EMAIL PROTECTED]> wrote:
> <[EMAIL PROTECTED]> escribió en el mensajenews:[EMAIL PROTECTED]
>
> >http://www.ddj.com/184405774;jsessionid=BDDEMUGJOPXUMQSNDLQCKHSCJUNN2JVN
>
> > I saw a warning from homeland security about this. I only comment on
> > the because I am trying to use os.system('command1 arg') and it doesn't
> > work but I do see examples with % that is borrowed from the c language.
> > Seems like if I can write a batch file that does something the same
> > behavior should happen in the os module..Pure Python programs are not
> > affected, but a review of the C implementation
> should be made to see if any (variant of) printf is used without a proper
> format. Anyway I doubt you could find something, because the vulnerability
> is so well known for ages.
>
> --
> Gabriel Genellina
--
http://mail.python.org/mailman/listinfo/python-list
