|
|
|
|
|
|
by oneweekwonder
1649 days ago
|
|
|
The author of flask(and a lot more python stuff) goes a bit into detail here[0]. And as pointed out by another commenter my scenario is imaginary because user input needs to be passed to a f-strings. But I did update my original example with a tested `exec` because then you can import modules. I do see my imaginary attack as low effort for a grey- or black-hat to automate and weaponize. As mentioned/asked by parent, will we see mini renaissance of format string vulnerabilities, and I believe the answer is yes. [0]: https://lucumr.pocoo.org/2016/12/29/careful-with-str-format/ |
|
|