python - Is input() safe to use if you cast it as a string? - Stack Overflow
How can Python 2's input() be exploited cause a comparison against a random number yet-to-be-generated to pass? - Stack Overflow
Python 2.7에서 input()이 보안 문제인 이유 (4분) 데모
Is Python a Security Vulnerability?
No, there is nothing inherently insecure about python.
However Python can be used to make a vulnerability. For instance it would be easy to make a web portal that executes anything that is typed in. This is true for any programming language, but python makes it extra easy.
And I know, you would know better, but IT departments see all their users as idiots (often with good reason).
More on reddit.comis there any way to exploit input() and make it output "RIGHT password"?
Yep:
C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: __import__('sys').stdout.write('RIGHT password') or exit(0)
RIGHT password
C:\Users\Kevin\Desktop>
"But that doesn't count because you're printing your own output and terminating early", you protest hypothetically. "Show me an example where the conditional actually executes".
C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: (1, globals().update({"random": type("", (object,), {"__init__": lambda self: setattr(self, "randint", lambda x,y: "1")})()}))[0]
RIGHT password
C:\Users\Kevin\Desktop>
"Ok, well, in a real application I wouldn't be using random.randint to determine the password. Show me an example where the conditional inp == "hunter2": passes"
import random
inp = str(input("Enter the password: "))
if inp == "hunter2":
print "RIGHT password"
else:
print "WRONG password"
C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: __import__("re").search(r"if inp == \"(.*?)\"", open(__file__).read()).group(1)
RIGHT password
"That doesn't count because you read the file. Show me an example where you don't extract the password from the source code"
C:\Users\Kevin\Desktop>py -2 test.py
Enter the password: type("", (str,), {"__str__": lambda self: self, "__eq__": lambda self, other: True})()
RIGHT password
C:\Users\Kevin\Desktop>
input has to process the string before it ever returns a value for str to turn back into a string. So no, "casting" does not make it safe.