Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can locals() be exploited in python code?

Tags:

python

namespaces

I stumbled across the following warning when I was reading Code Like a Pythonista: Idiomatic Python by David Goodger.

Excerpt from the article ...

print('Hello %(name)s, you have %(messages)i messages' % locals())

This is very powerful. With this, you can do all the string formatting you want without having to worry about matching the interpolation values to the template.

But power can be dangerous. "With great power comes great responsibility." If you use the locals() from with an externally-supplied template string, you expose your entire local namespace to the caller. This is just something to keep in mind.

I am trying to understand the specific scenarios in which using locals() can be dangerous. Any examples of how the presence of locals() in a code can be exploited are appreciated. Thanks!

like image 421
Praveen Gollakota Avatar asked Apr 07 '11 18:04

Praveen Gollakota

People also ask

What does locals () do in Python?

Python locals() Function The locals() function returns the local symbol table as a dictionary. A symbol table contains necessary information about the current program.

How do I use globals and locals in Python?

The globals(), locals() and reload() Functions in PythonIf locals() is called from within a function, it will return all the names that can be accessed locally from that function. If globals() is called from within a function, it will return all the names that can be accessed globally from that function.

What do you mean by global () and locals () functions?

Global variables are declared outside any function, and they can be accessed (used) on any function in the program. Local variables are declared inside a function, and can be used only inside that function. It is possible to have local variables with the same name in different functions.

What does local mean in Python?

In Python or any other programming languages, the definition of local variables remains the same, which is “A variable declared inside the function is called local function”. We can access a local variable inside but not outside the function.

1 Answers

Sample, trivial code:

script_name = 'readpw.py'
...
entered_pw = raw_input()
if entered_pw != real_pw:
    print "%(script_name)s: The password you entered: "+entered_pw+" is incorrect."%locals()

Consider the case where entered_pw is %(real_pw)s

like image 200
yan Avatar answered Sep 17 '22 17:09

yan
Sign in to Comment

Related questions

tail -f in a webbrowser
Django models & Python class attributes
ImportError: No module named QtWebKit
Which Dynamic Internationalisation system to use in Django projects?
Reading a Turtle/N3 RDF File with Python
Python, mechanize, proper syntax for setting multiple headers?
Check that a function raises a warning with nose tests
customize ticks for AxesImage?
Issue with SqlAlchemy - "Parent instance <SomeClass> is not bound to a Session; lazy load operation..."
Equality of Python classes using slots
Python Interactive Interpreter always returns "Invalid syntax" on Windows
Passing Command line argument to Python program using IDLE? [duplicate]
Get pid of the process which has triggered some signal
Python using 'with' to delete a file after use
Using cPickle to serialize a large dictionary causes MemoryError
Persistent ssh session to Cisco router
Is this the best way to ensure that a python unicode "string" is encoded in utf-8?
Django DateTimeField Defined as blank=True, null=True but doesn't allow null
Python 3.2 idle : range function - print or list?
Docx to pdf using openoffice headless way too slow

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!