http://www.ddj.com/184405774;jsessio...QCKHSCJUNN2JVN
I saw a warning from homeland security about this. I only comment on
the because I am trying to use os.system('comm and1 arg') and it doesn't
work but I do see examples with % that is borrowed from the c language.
Seems like if I can write a batch file that does something the same
behavior should happen in the os module.. 9 1737
<Er*********@ms n.comescribió en el mensaje
news:11******** **************@ q2g2000cwa.goog legroups.com... http://www.ddj.com/184405774;jsessio...QCKHSCJUNN2JVN
I saw a warning from homeland security about this. I only comment on
the because I am trying to use os.system('comm and1 arg') and it doesn't
work but I do see examples with % that is borrowed from the c language.
Seems like if I can write a batch file that does something the same
behavior should happen in the os module..
Pure Python programs are not affected, but a review of the C implementation
should be made to see if any (variant of) printf is used without a proper
format. Anyway I doubt you could find something, because the vulnerability
is so well known for ages.
--
Gabriel Genellina
In article <ma************ *************** ************@py thon.org>,
"Gabriel Genellina" <ga******@yahoo .com.arwrites:
|<Er*********@m sn.comescribió en el mensaje
|news:11******* *************** @q2g2000cwa.goo glegroups.com.. .
|>
| http://www.ddj.com/184405774;jsessio...QCKHSCJUNN2JVN
|
| I saw a warning from homeland security about this. I only comment on
| the because I am trying to use os.system('comm and1 arg') and it doesn't
| work but I do see examples with % that is borrowed from the c language.
| Seems like if I can write a batch file that does something the same
| behavior should happen in the os module..
|>
|Pure Python programs are not affected, but a review of the C implementation
|should be made to see if any (variant of) printf is used without a proper
|format. Anyway I doubt you could find something, because the vulnerability
|is so well known for ages.
Not really. There are LOTS of vulnerabilities that have been known
for ages and are still legion. The reason that this is unlikely is
that it is both easy to spot and trivial to fix.
Regards,
Nick Maclaren.
"Nick Maclaren" <nm**@cus.cam.a c.ukescribió en el mensaje
news:eo******** **@gemini.csx.c am.ac.uk...
In article <ma************ *************** ************@py thon.org>,
"Gabriel Genellina" <ga******@yahoo .com.arwrites:
|>
|Pure Python programs are not affected, but a review of the C
implementation
|should be made to see if any (variant of) printf is used without a
proper
|format. Anyway I doubt you could find something, because the
vulnerability
|is so well known for ages.
Not really. There are LOTS of vulnerabilities that have been known
for ages and are still legion. The reason that this is unlikely is
that it is both easy to spot and trivial to fix.
Yes... Anyway, unless someone actually *do* revise the code, if it's easy or
not has no importance. I think that some automated tools were used to find
problems, but I don't know if this specific vulnerability was searched.
--
Gabriel Genellina
Perhaps it is not as severe a security risk, but pure Python programs
can run into similar problems if they don't check user input for %
codes. Example:
>>k = raw_input("Try to trick me: ")
Try to trick me: How about %s this?
>>j = "User %s just entered: " + k print j % "John"
Traceback (most recent call last):
File "<pyshell#8 >", line 1, in ?
print j % "John"
TypeError: not enough arguments for format string
On Jan 19, 10:44 am, "Gabriel Genellina" <gagsl...@yahoo .com.arwrote:
<Eric_Dex...@ms n.comescribió en el mensajenews:11* *************** ******@q2g2000c wa.googlegroups .com... http://www.ddj.com/184405774;jsessio...QCKHSCJUNN2JVN
I saw a warning from homeland security about this. I only comment on
the because I am trying to use os.system('comm and1 arg') and it doesn't
work but I do see examples with % that is borrowed from the c language.
Seems like if I can write a batch file that does something the same
behavior should happen in the os module..Pure Python programs are not affected, but a review of the C implementation
should be made to see if any (variant of) printf is used without a proper
format. Anyway I doubt you could find something, because the vulnerability
is so well known for ages.
--
Gabriel Genellina
On Fri, 19 Jan 2007 03:51:08 -0800, Er*********@msn .com wrote: http://www.ddj.com/184405774;jsessio...QCKHSCJUNN2JVN
I saw a warning from homeland security about this. I only comment on
the because I am trying to use os.system('comm and1 arg') and it doesn't
work
What do you mean, doesn't work? It works fine for me, precisely as
expected. What does it do for you? Crash Windows? Crash Python? Raise an
exception? Return an unexpected result?
but I do see examples with % that is borrowed from the c language.
The "When Format Strings Attack" article isn't relevant to Python. Unlike
C, Python doesn't arbitrary dump bytes from the stack into a string if you
print a string containing %s. In Python, print just prints strings, it
doesn't do any string formatting. String formatting is done by the %
operator, so print "a string containing %s" is safe.
You'd be better off looking at Python examples than C. This is what I'm
guessing you're doing:
>>command1 = 'dir' args = '-l text.txt' os.system('co mmand1 arg')
sh: command1: command not found
32512
os.system doesn't do name-lookups of the string you pass to it. The right
way to do this is some variation on this:
>>commandline = "%s %s" % (command1, args) commandline
'dir -l text.txt'
>>os.system(com mandline)
-rw-rw-r-- 1 steve steve 333 Sep 24 16:51 text.txt
0
or even something like this:
os.system('dir -l %s' % 'text.txt')
Now, there is a security risk: you might set command1 yourself, and
allow the user to set args. If command1 is an external application
with a security hole, and the user provides arguments that trigger that
bug, then naturally your application will inherit whatever security
vulnerabilities the external application suffers from. No surprises there.
--
Steven.
At Friday 19/1/2007 15:43, John Zenger wrote:
>Perhaps it is not as severe a security risk, but pure Python programs can run into similar problems if they don't check user input for % codes. Example:
>k = raw_input("Try to trick me: ")
Try to trick me: How about %s this?
>j = "User %s just entered: " + k print j % "John"
Traceback (most recent call last):
File "<pyshell#8 >", line 1, in ?
print j % "John" TypeError: not enough arguments for format string
That's not a problem, it's an exception. *This* is a problem:
printf("Hello, %s")
--
Gabriel Genellina
Softlab SRL
_______________ _______________ _______________ _____
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya! http://www.yahoo.com.ar/respuestas
On Fri, 19 Jan 2007 10:43:53 -0800, John Zenger wrote:
Perhaps it is not as severe a security risk, but pure Python programs
can run into similar problems if they don't check user input for %
codes.
Please don't top-post.
A: Because it messes up the order that we read things.
Q: Why?
A: Top-posting.
Q: What is the most annoying newsgroup habit?
Example:
>>>k = raw_input("Try to trick me: ")
Try to trick me: How about %s this?
>>>j = "User %s just entered: " + k print j % "John"
Traceback (most recent call last):
File "<pyshell#8 >", line 1, in ?
print j % "John"
TypeError: not enough arguments for format string
That's hardly the same sort of vulnerability the article was talking
about, but it is a potential bug waiting to bite.
In a serious application, you should keep user-inputted strings separate
from application strings, and never use user strings unless they've been
made safe. See Joel Spolsky's excellent article about one way of doing
that: http://www.joelonsoftware.com/articles/Wrong.html
--
Steven.
Steven D'Aprano wrote:
os.system('dir -l %s' % 'text.txt')
Now, there is a security risk: you might set command1 yourself, and
allow the user to set args. If command1 is an external application
with a security hole, and the user provides arguments that trigger that
bug, then naturally your application will inherit whatever security
vulnerabilities the external application suffers from. No surprises there.
There are also big risks like this
filename = 'foo; rm importantfile'
cmd = 'ls %s' % filename
os.system(cmd)
oops!
--
Jeremy Sanders http://www.jeremysanders.net/
I will give the formatting a try. I noticed another formatting thing I
wasn't looking for. It is possible to have a \n at the end of a word
or at least that is how it is shown and fixed through python 2.5. I
had an error where 36\n isn't a number. easy to fix though.
Jeremy Sanders wrote:
Steven D'Aprano wrote:
os.system('dir -l %s' % 'text.txt')
Now, there is a security risk: you might set command1 yourself, and
allow the user to set args. If command1 is an external application
with a security hole, and the user provides arguments that trigger that
bug, then naturally your application will inherit whatever security
vulnerabilities the external application suffers from. No surprises there.
There are also big risks like this
filename = 'foo; rm importantfile'
cmd = 'ls %s' % filename
os.system(cmd)
oops!
--
Jeremy Sanders http://www.jeremysanders.net/ This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Simon Brooke |
last post by:
I'm investigating a bug a customer has reported in our database
abstraction layer, and it's making me very unhappy.
Brief summary:
I have a database abstraction layer which is intended to mediate
between webapps and arbitrary database backends using JDBC. I am very
unwilling indeed to write special-case code for particular
databases. Our code has worked satisfactorily with many databases,
including many instances MS SQLServer 2000...
|
by: Cocy |
last post by:
Hi,
This might be a sort of FAQ, but I don't see why,
so I would someone help me to understand what's wrong?
I've just created following code which wold trim
white space(s) in a (given) string.
But, it resulted the Segmentation fault, and so as
when running in gdb (saying "Program received signal
SIGSEGV, Segmentaion fault at *p++ = *st++").
The platform is Linux kernel 2.4.27, gcc version
|
by: Dennis Myrén |
last post by:
Hi.
Is there a way to make sure that float, double and decimal data types
never will be presented in a scientific notation?
I have tried to round(Math.Round) float's to 7 decimals, double's to 15
and decimals to 28 decimals, but that does not help.
And the System.Globalization.NumberFormatInfo class does not seem to provide
a such function.
|
by: ramonred |
last post by:
Hi,
I am having trouble with a little piece of code that formats an SQL string.
I am not looking for folks to debug my code, what I would like to know is how
can I see the string that I've built before it is executed, so I can fix
whatever is wrong.
//snippet
....lots of code building the string
sql = String.Format(sql, values.ToArray());
|
by: Tim Marsden |
last post by:
Hello,
I am building a parameterised query in vb.net for execution against a SQL
server database.
I am using a OLEDB command and OLEDB parameters. If one of the parameters is
a date I sometimes experience a problem in the interpretation of the format.
I populate the parameter value from a user input text box. I am in the UK so
the use inputs in the format dd/mm/yy. I know SQL user the US format of
mm/dd/yy.
| |
by: Al Reid |
last post by:
First, I'm using vb2005. I have a string that is read from a barcode reader into a TextBox. The string is 6 characters long and
represents a date (mmddyy). I want to display it to the user in a date format of "mm/dd/yy" For example the barcode contains
"112303" and I want to format it to display "11/23/03"
If I use the microsoft.visualbasic.strings.format with a format string of "##/##/##" or "00/00/00" I get the format string in the...
|
by: Carroll, Barry |
last post by:
Greetings:
Personally, I don't think top-posting is the most annoying newsgroup
habit. I think it's making a big fuss about minor inconveniences.
One of the nicest things about being human is the amazing flexibility of
our brains. For example, if a block of text isn't arranged in the order
we're used to, we can easily rearrange it mentally and read it anyway.
Oriental and Arabic peoples, for example, do this each time they read...
|
by: Rick |
last post by:
With String.Format, if I have an incorrect number of args specified for a
format string, compile fails. How can I implement similar design-time
functionality for my own string functions?
|
by: Andrus |
last post by:
How to create format string for decimal data type
which shows blank for zero and default format otherwize ?
I tried format string "f;f;#" but this shows f for nonzero numbers.
Andrus.
using System.Windows.Forms;
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |