Python Security: New String Format Vulnerability Analysis and Solutions

Recently a python string formatting vulnerability caught my attention. Today I will talk about the security vulnerability of a new syntax for formatting strings introduced by Python. I conducted an in-depth analysis and provided corresponding security measures. solution.

When we use str.format for untrusted user input, it will bring security risks - I have actually known about this problem for a long time, but I didn't really realize it until today severity. Because attackers can use it to bypass the Jinja2 sandbox, this will cause serious information leakage problems. In the meantime, I provide a new safe version of str.format at the end of this article.

It should be reminded that this is a quite serious security risk. The reason why I write an article here is because most people probably don’t know how easy it is to be exploited.

Core Issue

Starting from Python 2.6, Python has introduced a new syntax for formatting strings inspired by .NET. Of course, in addition to Python, Rust and some other programming languages ​​also support this syntax. With the help of the .format() method, this syntax can be applied to both byte and unicode strings (in Python 3, only unicode strings), and it can also be mapped to more customizable strings. Formatter API.

A feature of this syntax is that it allows one to determine the positional and keyword parameters of the string format, and to explicitly reorder the data items at any time. Furthermore, it can even access the object's properties and data items - which is the root cause of the security issue here.

Overall, one can use this to do the following things:

Essentially, anyone with control over the format string has the potential to access various internal properties of the object.

where is the problem?

The first question is, how to control the format string. You can start from the following places:

1. Untrusted translator in string file. We're likely to get away with them, because many applications translated into multiple languages ​​use this new Python string formatting method, but not everyone will perform a thorough review of all strings entered.

2. User exposed configuration. Because some system users can configure certain behaviors, these configurations may be exposed in the form of format strings. As a special note, I have seen some users configure notification emails, log message formats, or other basic templates through the web application.

Danger level

If you just pass the C interpreter object to the format string, there will not be much danger, because in this case, you will expose some integer classes at most. s things.

However, once a Python object is passed to this format string, it becomes troublesome. This is because the amount of stuff that can be exposed from Python functions is pretty staggering. Here is the scenario of a hypothetical web application that could leak the key:

If the user can inject the format_string here, then they can discover the secret characters like this String:

Sandbox formatting

So, what should you do if you need to let others provide the formatting string? In fact, some undocumented internal mechanisms can be used to change the string formatting behavior.

Now, we can use the safe_format method to replace str.format:

Summary:

There is a saying in program development: Do not trust the user at any time input of! Now it seems that this sentence makes perfect sense. So students, please keep this in mind!

【Course Recommendation】

Python Free Online Video Tutorial

The above is the detailed content of Python Security: New String Format Vulnerability Analysis and Solutions. For more information, please follow other related articles on the PHP Chinese website!