Re: Loop through a dict changing keys
On Oct 15, 5:53 pm, PoD p...@internode.on.net wrote:
data = {
'Mobile': 'string',
'context': 'malicious code',
'order': '7',
'time': 'True'}
types={'Mobile':str,'context':str,'order':int,'time':bool}
for k,v in data.items():
data[k] = types[k](v)
Thanks for the tip, I didn't know you could do that. I ended up
filtering the values the bulky way, but it gives me total control over
what internet users feed my program.
-- Gnarlie
--
http://mail.python.org/mailman/listinfo/python-list
Re: Loop through a dict changing keys
On Mon, Oct 17, 2011 at 5:20 AM, Gnarlodious gnarlodi...@gmail.com wrote:
On Oct 15, 5:53 pm, PoD p...@internode.on.net wrote:
types={'Mobile':str,'context':str,'order':int,'time':bool}
for k,v in data.items():
data[k] = types[k](v)
Thanks for the tip, I didn't know you could do that. I ended up
filtering the values the bulky way, but it gives me total control over
what internet users feed my program.
It should be noted that this will not in any way sanitize
data['context']. It calls the str() function on it, thus ensuring that
it's a string, but that's all. If you're needing to deal with
(potentially) malicious input, you'll want to swap in a function that
escapes it in some way (if it's going into a database, your database
engine will usually provide a 'quote' or 'escape' function; if it's to
go into a web page, I think cgi.escape is what you want).
ChrisA
--
http://mail.python.org/mailman/listinfo/python-list
Re: Loop through a dict changing keys
Uh, sounds reasonable, if one loops over an index variable that could be altered during the loop execution then the loop may not end as expected. -- http://mail.python.org/mailman/listinfo/python-list
Re: Loop through a dict changing keys
On Mon, Oct 17, 2011 at 10:21 AM, 8 dihedral dihedral88...@googlemail.com wrote: Uh, sounds reasonable, if one loops over an index variable that could be altered during the loop execution then the loop may not end as expected. From the docs: Iterating views while adding or deleting entries in the dictionary may raise a RuntimeError or fail to iterate over all entries. Changing the values of existing entries while iterating is considered to be safe, though. -- http://mail.python.org/mailman/listinfo/python-list
Re: Loop through a dict changing keys
On Sun, 16 Oct 2011 11:20:49 -0700, Gnarlodious wrote:
On Oct 15, 5:53 pm, PoD p...@internode.on.net wrote:
data = {
'Mobile': 'string',
'context': 'malicious code',
'order': '7',
'time': 'True'}
types={'Mobile':str,'context':str,'order':int,'time':bool}
for k,v in data.items():
data[k] = types[k](v)
Thanks for the tip, I didn't know you could do that. I ended up
filtering the values the bulky way,
What is the bulky way?
but it gives me total control over
what internet users feed my program.
Why does this not fill me with confidence?
As Jon Clements has already spotted a major bug in the above: using bool
as shown is not correct. Furthermore, converting 'malicious code' into
a string does nothing, since it is already a string.
Gnarlodious, it is good that you are concerned about code injection
attacks, but defending against them is not simple or easy. I don't intend
to sound condescending, but when your response to being shown a simple
filter that maps keys to types is to say I didn't know you could do
that, that's a good warning that your Python experience may not be quite
up to the job of out-guessing the sort of obscure tricks hostile
attackers may use.
If you think that defending against malicious code is simple, you should
read this blob post:
http://tav.espians.com/a-challenge-to-break-python-security.html
and the thread which inspired it:
http://mail.python.org/pipermail/python-dev/2009-February/086401.html
How do you sanitize user input?
--
Steven
--
http://mail.python.org/mailman/listinfo/python-list
Re: Loop through a dict changing keys
On Sun, 16 Oct 2011 00:18:40 -0700, Jon Clements wrote:
On Oct 16, 12:53 am, PoD p...@internode.on.net wrote:
On Sat, 15 Oct 2011 11:00:17 -0700, Gnarlodious wrote:
What is the best way (Python 3) to loop through dict keys, examine
the string, change them if needed, and save the changes to the same
dict?
So for input like this:
{'Mobile': 'string', 'context': 'malicious code', 'order': '7',
'time': 'True'}
I want to booleanize 'True', turn '7' into an integer, escape
'malicious code', and ignore 'string'.
Any elegant Python way to do this?
-- Gnarlie
How about
data = {
'Mobile': 'string',
'context': 'malicious code',
'order': '7',
'time': 'True'}
types={'Mobile':str,'context':str,'order':int,'time':bool}
for k,v in data.items():
data[k] = types[k](v)
Bit of nit-picking, but:
bool('True')
True
bool('False')
True
bool('')
False
Oops :) Brain fade.
--
http://mail.python.org/mailman/listinfo/python-list
Re: Loop through a dict changing keys
On Oct 16, 5:25 pm, Steven D'Aprano steve
+comp.lang.pyt...@pearwood.info wrote:
How do you sanitize user input?
Thanks for your concern. This is what I now have, which merely expands
each value into its usable type (unquotes them):
# filter each value
try:
var=int(var)
except ValueError:
if var in ('False', 'True'):
var=eval(var) # extract booleans
else:
var=cgi.escape(var)
This is really no filtering at all, since all CGI variables are
written to a dictionary without checking. However, if there is no
receiver for the value I should be safe, right?
I am also trapping some input at mod_wsgi, like php query strings. And
that IP address gets quarantined. If you can suggest what attack words
to block I'll thank you for it.
I also have a system to reject variables that are not in a list, but
waiting to see what the logfiles show before deploying it.
-- Gnarlie
http://Gnarlodious.com
--
http://mail.python.org/mailman/listinfo/python-list
Re: Loop through a dict changing keys
On Sun, 16 Oct 2011 17:41:55 -0700, Gnarlodious wrote:
On Oct 16, 5:25 pm, Steven D'Aprano steve
+comp.lang.pyt...@pearwood.info wrote:
How do you sanitize user input?
Thanks for your concern. This is what I now have, which merely expands
each value into its usable type (unquotes them):
# filter each value
try:
var=int(var)
Should be safe, although I suppose if an attacker passed (say) five
hundred thousand 9 digits, it might take int() a while to generate the
long int. Instant DOS attack.
A blunt object fix for that is to limit the user input to (say) 500
characters, which should be long enough for any legitimate input string.
But that will depend on your application.
except ValueError:
if var in ('False', 'True'):
var=eval(var) # extract booleans
Well, that's safe, but slow, and it might encourage some future
maintainer to use eval in less safe ways. I'd prefer:
try:
{'True': True, 'False': False}[var]
except KeyError:
pass # try something else
(To be a little more user-friendly, use var.strip().title() instead of
just var.)
else:
var=cgi.escape(var)
This is really no filtering at all, since all CGI variables are written
to a dictionary without checking. However, if there is no receiver for
the value I should be safe, right?
What do you mean no receiver?
If you mean that you don't pass the values to eval, exec, use them in SQL
queries, call external shell scripts, etc., then that seems safe to me.
But I'm hardly an expert on security, so don't take my word on it. And it
depends on what you end up doing in the CGI script.
I am also trapping some input at mod_wsgi, like php query strings. And
that IP address gets quarantined. If you can suggest what attack words
to block I'll thank you for it.
That's the wrong approach. Don't block words in a blacklist. Block
everything that doesn't appear in a whitelist. Otherwise you're
vulnerable to a blackhat coming up with an attack word that you never
thought of. There's one of you and twenty million of them. Guess who has
the advantage?
--
Steven
--
http://mail.python.org/mailman/listinfo/python-list
Re: Loop through a dict changing keys
Steven: Thanks for those tips, I've implemented all of them. Also only allowing whitelisted variable names. Feeling much more confident. -- Gnarlie -- http://mail.python.org/mailman/listinfo/python-list
Re: Loop through a dict changing keys
On Oct 16, 12:53 am, PoD p...@internode.on.net wrote:
On Sat, 15 Oct 2011 11:00:17 -0700, Gnarlodious wrote:
What is the best way (Python 3) to loop through dict keys, examine the
string, change them if needed, and save the changes to the same dict?
So for input like this:
{'Mobile': 'string', 'context': 'malicious code', 'order': '7',
'time': 'True'}
I want to booleanize 'True', turn '7' into an integer, escape
'malicious code', and ignore 'string'.
Any elegant Python way to do this?
-- Gnarlie
How about
data = {
'Mobile': 'string',
'context': 'malicious code',
'order': '7',
'time': 'True'}
types={'Mobile':str,'context':str,'order':int,'time':bool}
for k,v in data.items():
data[k] = types[k](v)
Bit of nit-picking, but:
bool('True')
True
bool('False')
True
bool('')
False
--
http://mail.python.org/mailman/listinfo/python-list
Loop through a dict changing keys
What is the best way (Python 3) to loop through dict keys, examine the
string, change them if needed, and save the changes to the same dict?
So for input like this:
{'Mobile': 'string', 'context': 'malicious code', 'order': '7',
'time': 'True'}
I want to booleanize 'True', turn '7' into an integer, escape
'malicious code', and ignore 'string'.
Any elegant Python way to do this?
-- Gnarlie
--
http://mail.python.org/mailman/listinfo/python-list
Re: Loop through a dict changing keys
On 15/10/2011 19:00, Gnarlodious wrote:
What is the best way (Python 3) to loop through dict keys, examine the
string, change them if needed, and save the changes to the same dict?
So for input like this:
{'Mobile': 'string', 'context': 'malicious code', 'order': '7',
'time': 'True'}
I want to booleanize 'True', turn '7' into an integer, escape
'malicious code', and ignore 'string'.
Any elegant Python way to do this?
How about:
for key, value in my_dict.items():
if value == True:
my_dict[key] = True
--
http://mail.python.org/mailman/listinfo/python-list
Re: Loop through a dict changing keys
On 15.10.2011 20:00, Gnarlodious wrote:
What is the best way (Python 3) to loop through dict keys, examine the
string, change them if needed, and save the changes to the same dict?
So for input like this:
{'Mobile': 'string', 'context': 'malicious code', 'order': '7',
'time': 'True'}
I want to booleanize 'True', turn '7' into an integer, escape
'malicious code', and ignore 'string'.
Any elegant Python way to do this?
-- Gnarlie
I think JSON could be of some use, but I've not used it yet,
otherwise something like this could do it:
#!/usr/bin/python
from cgi import escape
def convert(string):
for conv in (int, lambda x: {'True': True, 'False': False}[x],
escape):
try:
return conv(string)
except (KeyError, ValueError):
pass
return string
d = {'Mobile': 'string',
'context': 'malicious code',
'order': '7',
'time': 'True'}
print d
for key in d:
d[key] = convert(d[key])
print d
$ ./conv.py
{'Mobile': 'string', 'order': '7', 'context': 'malicious code',
'time': 'True'}
{'Mobile': 'string', 'order': 7, 'context': 'lt;malicious
codegt;', 'time': True}
--
http://mail.python.org/mailman/listinfo/python-list
Re: Loop through a dict changing keys
Is there an FAQ available here? Please check the PYTHON official site and the active state PYTHON examples first, also check the PLEAC comparisons of a lot programming languages first! - Nothing is more thrilling to obtain black magics in text books! -- http://mail.python.org/mailman/listinfo/python-list
Re: Loop through a dict changing keys
On Sat, 15 Oct 2011 11:00:17 -0700, Gnarlodious wrote:
What is the best way (Python 3) to loop through dict keys, examine the
string, change them if needed, and save the changes to the same dict?
So for input like this:
{'Mobile': 'string', 'context': 'malicious code', 'order': '7',
'time': 'True'}
I want to booleanize 'True', turn '7' into an integer, escape
'malicious code', and ignore 'string'.
Any elegant Python way to do this?
-- Gnarlie
How about
data = {
'Mobile': 'string',
'context': 'malicious code',
'order': '7',
'time': 'True'}
types={'Mobile':str,'context':str,'order':int,'time':bool}
for k,v in data.items():
data[k] = types[k](v)
--
http://mail.python.org/mailman/listinfo/python-list
