At Friday 19/1/2007 15:43, John Zenger wrote:
Perhaps it is not as severe a security risk, but pure Python programs
can run into similar problems if they don't check user input for %
codes. Example:
>>> k = raw_input("Try to trick me: ")
Try to trick me: How about %s this?
>>> j = "User %s just entered: " + k
>>> print j % "John"
Traceback (most recent call last):
File "<pyshell#8>", line 1, in ?
print j % "John"
TypeError: not enough arguments for format string
That's not a problem, it's an exception. *This* is a problem:
printf("Hello, %s")
--
Gabriel Genellina
Softlab SRL
__________________________________________________
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya!
http://www.yahoo.com.ar/respuestas
--
http://mail.python.org/mailman/listinfo/python-list
