On Sun, 16 Oct 2011 11:20:49 -0700, Gnarlodious wrote:
> On Oct 15, 5:53 pm, PoD <p...@internode.on.net> wrote:
>
>> data = {
>> 'Mobile': 'string',
>> 'context': '<malicious code>',
>> 'order': '7',
>> 'time': 'True'}
>> types={'Mobile':str,'context':str,'order':int,'time':bool}
>>
>> for k,v in data.items():
>> data[k] = types[k](v)
>
> Thanks for the tip, I didn't know you could do that. I ended up
> filtering the values the bulky way,
What is "the bulky way"?
> but it gives me total control over
> what internet users feed my program.
Why does this not fill me with confidence?
As Jon Clements has already spotted a major bug in the above: using bool
as shown is not correct. Furthermore, converting '<malicious code>' into
a string does nothing, since it is already a string.
Gnarlodious, it is good that you are concerned about code injection
attacks, but defending against them is not simple or easy. I don't intend
to sound condescending, but when your response to being shown a simple
filter that maps keys to types is to say "I didn't know you could do
that", that's a good warning that your Python experience may not be quite
up to the job of out-guessing the sort of obscure tricks hostile
attackers may use.
If you think that defending against malicious code is simple, you should
read this blob post:
http://tav.espians.com/a-challenge-to-break-python-security.html
and the thread which inspired it:
http://mail.python.org/pipermail/python-dev/2009-February/086401.html
How do you sanitize user input?
--
Steven
--
http://mail.python.org/mailman/listinfo/python-list
