Is input () safe to use if you use it as a string?

Question

Is input () safe to use if you use it as a string?

I experimented with a python 2.7 function input()and tried to find ways to use it. I know that in itself it is vulnerable to exploitation, because you can enter python expressions, which will then be evaluated. My question is if you pass it as a string, that is:

str(input())

is he still vulnerable to these exploits? Does it make it completely safe?

As an example, given the following program, is there a way to use input()and conclude "RIGHT password"?

import random
inp = str(input("Enter the password: "))
password = random.randint(0, 100)
if inp == password:
    print "RIGHT password" 
else:
    print "WRONG password"

+4

python input python-2.7

T. Owens May 26, '17 at 15:40

source share

5 answers

input , str, . , "" .

+2

chepner 26 '17 15:44

: [random.seed(1), random.randint(0, 100), random.seed(1)][1] " ". , , , .

+1

jasonharper 26 '17 15:50

try entering "exit ()" as the contents of the string, it will kill the interpreter. casting on str doesn’t change anything.

0

ImSoFancy May 26, '17 at 15:46

source share

No. You're wrong.

All you do is the result of executing the code in input()for the string. Python will still run the code in input(), regardless of whether you chose the return value for the string or not. Passing the result of a string input()to a string does not help its vulnerability:

>>> str(input('enter> ')) # Python will still run the code.
enter> 1 + 10 * 5
'51' 
>>>

0

Christian dean May 26, '17 at 15:55

source share

Kevin · Accepted Answer · 2017-05-26T15:49:01+0000

input() " "?

:

C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: __import__('sys').stdout.write('RIGHT password') or exit(0)
RIGHT password
C:\Users\Kevin\Desktop>

" , ", - . Msgstr " , ".

C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: (1, globals().update({"random": type("", (object,), {"__init__": lambda self: setattr(self, "randint", lambda x,y: "1")})()}))[0]
RIGHT password

C:\Users\Kevin\Desktop>

", , random.randint . , inp == "hunter2": "

import random
inp = str(input("Enter the password: "))
if inp == "hunter2":
    print "RIGHT password" 
else:
    print "WRONG password"

C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: __import__("re").search(r"if inp == \"(.*?)\"", open(__file__).read()).group(1)
RIGHT password

" , . , "

C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: type("", (str,), {"__str__": lambda self: self, "__eq__": lambda self, other: True})()
RIGHT password

C:\Users\Kevin\Desktop>

Is input () safe to use if you use it as a string?

More articles: