A more detailed response.
Tim Johnson wrote:
I'm using 2.6.5 on ubuntu 10.04.
I'm evaluating a very large string using a named-value formatting
scheme. The process fails with the following error message:
"""not enough arguments for format string"""
I'd take that as a fairly straightforward error message. You have N
fields on the right hand side, and at least N+1 on the left hand side,
for some value of N. I'm not sure why you're perplexed -- there's
nothing in your post that explains why this is more difficult than a
mismatch in targets vs fields provided.
In the first place, I wouldn't expect to even see this error
message, because as the python documentation says:
"""
Python calls the get-item method of the right-hand-side mapping
(__getitem__), when the righthand side is an instance object.
"""
Context and URL please. Just because you've just looked it up and have
it fresh in your brain doesn't me the rest of us have too :)
As for the right-hand mapping - I'm using the following:
class Evalx:
def __init__(self, localvals = None, globalvals = None):
Dear me... messing with globals and locals. That's always a bad sign.
But let's assume this is that one time in 100 that it is actually
justified...
if localvals is None:
self.locals = sys._getframe(1).f_locals
Are you aware that this is non-portable and subject to change without
notice?
else :
self.locals = locals
if globalvals is None:
self.globals = sys._getframe(1).f_globals
else :
self.globals = globals
def __getitem__(self,key):
return eval(key,self.globals,self.locals)
Using eval is nearly always a bad thing. Your class is now potentially
vulnerable to code injection attacks. I hope you can trust the source of
the target string *and* the globals and locals functions.
(And of course just because you can trust it *today*, doesn't mean you
can tomorrow. Code has a way of being reused.
the implementation looks like this:
self.content = content % Evalx()
What's self? What's content? What global and local variables do you have?
(This is just one of the many reasons why messing with globals and
locals is bad... you often can't see what a piece of code does unless
you know exactly what *all* the locals and globals are, not just the
ones in the piece of code you're looking at.)
I would really appreciate some insights on this issue.
I don't really know how to debug this, except for to look for some
"%s" in the `content' string.
Quite.
>>> x = 42
>>> "%(x)s" % Evalx()
'42'
>>> "%(x)s %s" % Evalx()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
TypeError: not enough arguments for format string
It's not just %s, of course, any % target that isn't named. This
includes %s %d %i %f %g %G %r %x %X plus others.
Oh, and if the security vulnerability isn't obvious already:
>>> "%(x)s %(os.system('echo \"If I can fool you into running this, I
will own your PC.\"'))s" % Evalx()
If I can fool you into running this, I will own your PC.
'42 0'
This is just one of *many* ways to inject code into your string
formatting operation.
--
Steven
_______________________________________________
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor
