Skip to content
Related Articles
Get the best out of our app
Open App

Related Articles

Vulnerability in str.format() in Python

Improve Article
Save Article
Like Article
Improve Article
Save Article
Like Article

Prerequisites: Python – format() function

str.format() is one of the string formatting methods in Python3, which allows multiple substitutions and value formatting. This method lets us concatenate elements within a string through positional formatting. It seems quite a cool thing. But the vulnerability comes when our Python app uses str.format in the user-controlled string. This vulnerability may lead attackers to get access to sensitive information.

Note: This issue has been reported here
str format vulnerability

So how come this becomes a vulnerability. Let’s see the following example


# Let us assume this CONFIG holds some sensitive information
    "KEY": "ASXFYFGK78989"
class PeopleInfo:
    def __init__(self, fname, lname):
        self.fname = fname
        self.lname = lname
def get_name_for_avatar(avatar_str, people_obj):
    return avatar_str.format(people_obj = people_obj)
# Driver Code
people = PeopleInfo('GEEKS', 'FORGEEKS')
# case 1: st obtained from user
st = input()
get_name_for_avatar(st, people_obj = people)

Case 1:
when user gives the following str as input




Case 2:
when user inputs the following str as input




This is because string formatting functions could access attributes objects as well which could leak data. Now a question might arise. Is it bad to use str.format()?. No, but it becomes vulnerable when it is used over user-controlled strings.

My Personal Notes arrow_drop_up
Last Updated : 08 Jun, 2020
Like Article
Save Article
Similar Reads
Related Tutorials