Unsafe String interpretation if using input() function
-
Affected Components : builtins
-
Operating System : Linux
-
Python Versions : 2.6.x, 2.7.x
-
Reproducible : Yes
Secret = "A SECRET DATA"
Public = "a BANANA"
value = input("Please enter your age ")
print "There are",value,
print "monkeys looking for",PublicTo reproduce the problem copy the source code in a file and execute the script using the following command syntax:
$ python -OOBRtt test.pyAlternatively you can open python in interactive mode:
$ python -OOBRtt <press enter>Then copy the lines of code into the interpreter.
The script will ask the user to provide a number, and if the user provides ONLY a number then nothing happens.
python -OOBRtt test.py
Please enter your age 32
There are 32 monkeys looking for a BANANA
But if the user provides something different, for example a python command as dir(), the string is interpreted and executed:
python -OOBRtt test.py
Please enter your age dir()
There are ['Public', 'Secret', '__builtins__', '__doc__', '__file__', '__name__', '__package__'] monkeys looking for a BANANA
In this case using dir() allow us to see “most” of the attributes of an object.
Is also possible to provie the name of a variable, in this case we provide SECRET as this is the name of the variable that should not be accessible.
python -OOBRtt test.py
Please enter your age Secret
There are A SECRET DATA monkeys looking for a BANANA
What you type as input is interpreted through an expression and the result is saved into your target variable with no control or limits.
We are not aware on any easy solution other than trying to avoid using the function 'input' in cases like the one examined.
[Python builtins][01] [01]:https://docs.python.org/2/library/functions.html
Main site: pythonsecurity.org
OWASP Page: owasp.org/index.php/OWASP_Python_Security_Project