Vulnerability in the input () function — Python 2.x

Python Methods and Functions

The purpose of this article is — explain and investigate the vulnerability in the input () function in Python 2.x. In Python 3, the raw_input () function has been deprecated and its functionality has been moved to a new built-in function known as input ().

Methods for inputting data in Python 2.x

There are two common methods for getting input in Python 2.x:

  1. Using the input () function: this function takes a value and a type the input you entered is as is, without changing any type.
  2. Using the raw_input () function: This function explicitly converts your input into a string like:

Let's use the following program to tell the difference between the two:

# Program Python 2.x to show the differences between
# input () and rawinput ()

  
# 3 inputs using raw_input (),
# after which the data type of the value
# entered displayed

s1 = raw_input ( "Enter input to test raw_input () function:" )

print type (s1)

 

s2 = raw_input ( "Enter input to test raw_input () function:" )

print type (s2)

  

s3 = raw_input ( "Enter input to test raw_input () function:" )

print type (s3)

 
# 3 logins using the input () function,
# after which the data type of the value
# entered is displayed

s4 = input ( "Enter input to test input () function:" )

print type (s4)

 

s5 = input ( "Enter input to test input () function:" )

print type (s5)

 

s6 = input ( "Enter input to test input () function:" )

print type (s6)

Input data:

 Hello 456 [1,2,3] 45 "goodbye" [1,2,3] 

Output:

 Enter input to test raw_input () function: & lt ; type 'str' & gt; Enter input to test raw_input () function: & lt; type 'str' & gt; Enter input to test raw_input () function: & lt; type 'str' & gt; Enter input to test input () function: & lt; type ' int ' & gt; Enter input totest input () function: & lt; type ' str ' & gt; Enter input to test input () function: & lt; type ' list ' & gt; 


Note:
When entering a string into the input () function, we must enclose the value in double quotes. This is not required in raw_input ()

Vulnerability in input ()

Vulnerability in input () is that a variable accessing the value of input can be accessed by anyone simply by using the name of the variable or method. Let's look at this one at a time:

  1. Variable name as input parameter: A variable having the value of an input variable can directly access the value of an input variable.

    # Python 2.x program for showing vulnerabilities
    # in the input () function using a variable

     

    import random

    secret_number = random.randint ( 1 , 500 )

    print "Pick a number between 1 to 500"

    while True :

      res = input ( "Guess the number:" )

    if res = = secret_number:

    print "You win"

    break

    else :

      print " You lose "

      co ntinue

    Input data:

     15 

    Output:

     Pick a number between 1 to 500 Guess the number: You lose Guess the number: 

    Input:

     secret_number 

    Output:

     Pick a number between 1 to 500 Guess the number: You win 

    As you can see, in the second case the variable "secret_number" can be given directly as input, and the answer is always "you won". It evaluates the variable as if the number were directly entered, which means it always returns True Boolean. Using raw_input, this would not be possible, since it prevents the variable from being read directly.

  2. Function name as parameter . The vulnerability is that we can even provide a function name as input and access values ​​that are not otherwise intended to be accessed.

    # Python 2.x demo program input () function
    # vulnerability, passing the function name as a parameter

    secret_value = 500

     
    # function that returns the secret value

    def secretfunction ():

    return secret_value

     
    # using raw_input () e To enter a number

    input1 = raw_input ( "Raw_input (): Guess secret number:" )

     
    # input1 will be explicitly converted to a string

    if input1 = = secret_value:

    print "You guessed correct"

    else :

    print "wrong answer"

     
    # using input () to enter the number

    input2 = input ( "Input (): Guess the secret number:" )

     
    # input2 is evaluated as you type

    if input2 = = secret_value:

    print "You guessed correct "

    else :

    print "wrong answer"

    Input:

     400 secretfunction () 

    Output:

     Raw_input (): Guess secret number: w rong answer Input (): Guess the secret number: You guessed correct 

    In this set of I / O we can see that when we use raw_input, we must be sure to enter the correct number. However, using the input () function, we can even specify the name of a function or variable, and the compiler will evaluate that. 
    Here, for example, the input to the input () function was specified as the function name secretfunction (). The compiler evaluates this function call and returns the secret number we want to find, and therefore our if condition evaluates to true even if we did not enter the secret number

    Input:

     secretfunction () secret_value 

    Output:

     Raw_input (): Guess secret number: wrong answer Input (): Guess the secret number: You guessed correct 

    How explained in the first paragraph, in this example we were also able to simply enter the variable name "secret_number" into the input function for the "input ()" function and access the secret value. 
    However, when trying to call secretfunction () on the input to raw_input (), it gives us false because the compiler converts our argument to a string, and does not evaluate it as a function call.

Preventing Input Vulnerabilities

It's always best to use raw_input () in python 2.x and then explicitly convert the input to whatever type we want needed. For example, if we want to receive an integer input, we can do the following

 n = int (raw_input ()) 

This prevents malicious calling or function evaluation.

This article contributed by Deepak Srivatsav . If you are as Python.Engineering and would like to contribute, you can also write an article using contribute.python.engineering or by posting an article contribute @ python.engineering. See my article appearing on the Python.Engineering homepage and help other geeks.

Please post comments if you find anything wrong or if you would like to share more information on the topic discussed above.