Уязвимость в функции input () - Python 2.x

Эта статья направлена на объяснение и исследование уязвимости функции input () в Python 2.x. В Python 3 функция raw_input () была удалена, а ее функциональные возможности были переданы новой встроенной функции, известной как input ().

Способы ввода данных в Python 2.x

В Python 2.x есть два распространенных метода получения ввода:

1. Использование функции input (): эта функция принимает значение и тип ввода, который вы вводите, как есть, без изменения какого-либо типа.
2. Использование функции raw_input () : эта функция явно преобразует вводимые вами данные в строку типа,

Let us use the following program to determine the difference between the two:

Вход:

Hello
456
[1,2,3]
45
"goodbye"
[1,2,3]

Выход:

Введите ввод для проверки функции raw_input (): <type 'str'>
Введите ввод для проверки функции raw_input (): <type 'str'>
Введите ввод для проверки функции raw_input (): <type 'str'>

Введите input для проверки функции input (): <type ' int '>
Введите input totest input () function: <type ' str '>
Введите input для проверки функции input (): <type ' list '>

Примечание. При вводе строки в функции input () мы должны заключить значение в двойные кавычки. Это не требуется в raw_input ()

Уязвимость в методе input ()

The vulnerability in input() method lies in the fact that the variable accessing the value of input can be accessed by anyone just by using the name of variable or method. Let’s explore these one by one:

1. Variable name as input parameter: The variable having the value of input variable is able to access the value of the input variable directly.

   # Python 2.x program to show Vulnerabilities # in input() function using a variable     import random secret_number = random.randint(1,500) print "Pick a number between 1 to 500" while True:     res = input("Guess the number: ")     if res==secret_number:         print "You win"         break     else:         print "You lose"         continue

   Input:

   15
   

   Output:

   Pick a number between 1 to 500
   Guess the number: You lose
   Guess the number: 
   

   Input:

   secret_number
   

   Output:

   
   
   
   

   Pick a number between 1 to 500
   Guess the number: You win
   

   As it can be seen, in second case the variable “secret_number” can be directly given as input and answer is always “You won”. It evaluates the variable as if a number was directly entered, by which means it returns a True Boolean always. Using raw_input, it would not be possible as it disallows to read the variable directly.

2. Function name as parameter: The vulnerability lies here as we can even provide the name of a function as input and access values that are otherwise not meant to be accessed.

   # Python 2.x program to demonstrate input() function # vulnerability by passing function name as parameter secret_value = 500    # function that returns the secret value def secretfunction():     return secret_value    # using raw_input() to enter the number input1 = raw_input("Raw_input(): Guess secret number: ")    # input1 will be explicitly converted to a string if input1 == secret_value:     print "You guessed correct" else:     print "wrong answer"        # using input() to enter the number input2 = input("Input(): Guess the secret number: ")    #input2 is evaluated as it is entered if input2 == secret_value:     print "You guessed correct" else:     print "wrong answer"

   Input:

   400
   secretfunction()
   

   Output:

   Raw_input(): Guess secret number: wrong answer
   Input(): Guess the secret number: You guessed correct
   

   In this set of input/output, we can see that when we use raw_input, we necessarily have to input the correct number. However while using the input() function, we can even provide the name of a function or variable, and the interpreter will evaluate that.
   Here for example, the input for input() function has been given as the name of a function ‘secretfunction()’. The interpreter evaluates this function call and returns the secret number that we wish to find and hence our if condition evaluates to be true, even though we did not enter the secret number

   Input:

   secretfunction()
   secret_value
   

   Output:

   Raw_input(): Guess secret number: wrong answer
   Input(): Guess the secret number: You guessed correct
   

   As explained in first point, in this example also we were able to simply enter the variable name ‘secret_number’ in the input for ‘input()’ function and we were able to gain access to the secret value.
   However while trying to call secretfunction() in the input for the raw_input() function, it gives us false as the interpreter converts our argument to string, and doesn’t evaluate it as a function call.

Preventing input vulnerabilities

It is always better to use raw_input() in python 2.x and then explicitly convert the input to whatever type we require. For example, if we wish to take input of an integer, we can do the following

n = int(raw_input())

This prevents the malicious calling or evaluation of functions.

This article is contributed by Deepak Srivatsav. If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above.

 Attention geek! Strengthen your foundations with the Python Programming Foundation Course and learn the basics.  

To begin with, your interview preparations Enhance your Data Structures concepts with the Python DS Course. And to begin with your Machine Learning Journey, join the Machine Learning – Basic Level Course