Vulnerability in input() function – Python 2.x (original) (raw)

Last Updated : 29 Mar, 2024

This article aims to explain and explore the vulnerability in the input() function in Python 2.x. In Python 3, the raw_input() function was erased, and its functionality was transferred to a new built-in function known as input().

**Different Ways to Input Data in Python 2.x

There are two common methods to receive input in Python 2.x:

1. **input() function: This function takes the value and type of the input you enter **as it is without modifying any type.
2. **raw_input() function: This function **explicitly converts the input you give to type string,

Let us use the following program to determine the difference between the two:

Python

s1 = raw_input ( "Enter input to test raw_input() function: " )

print type (s1)

s2 = raw_input ( "Enter input to test raw_input() function: " )

print type (s2)

s3 = raw_input ( "Enter input to test raw_input() function: " )

print type (s3)

s4 = input ( "Enter input to test input() function: " )

print type (s4)

s5 = input ( "Enter input to test input() function: " )

print type (s5)

s6 = input ( "Enter input to test input() function: " )

print type (s6)

**Input:

Hello
456
[1,2,3]
45
"goodbye"
[1,2,3]

**Output:

Enter input to test raw_input() function: <type 'str'>
Enter input to test raw_input() function: <type 'str'>
Enter input to test raw_input() function: <type 'str'>
Enter input to test input() function: <type '****int**'>
Enter input to test input() function: <type '****str**'>
Enter input to test input() function: <type '****list**'>

**Note: While giving string input in the input() function, we have to enclose to value in double-quotes. This is not required in raw_input()

**Vulnerability in input() Method

The vulnerability in input() method lies in the fact that the variable accessing the value of input can be accessed by anyone just by using the name of the variable or method. Below are some vulnerability in input() method:

• Variable name as input parameter:
• Function name as parameter

**Variable Name as Input Parameter

The variable having the value of input variable is able to access the value of the input variable directly.

Python3

import random

secret_number = random.randint( 1 , 500 )

print ( "Pick a number between 1 to 500" )

while True :

`` res = input ( "Guess the number: " )

`` if res = = secret_number:

`` print ( "You win" )

`` break

`` else :

`` print ( "You lose" )

`` continue

Python

import random

secret_number = random.randint( 1 , 500 )

print "Pick a number between 1 to 500"

while True :

`` res = input ( "Guess the number: " )

`` if res = = secret_number:

`` print "You win"

`` break

`` else :

`` print "You lose"

`` continue

**Input1:

15

**Output1:

Pick a number between 1 to 500
Guess the number: You lose
Guess the number:

**Input2:

secret_number

**Output2:

Pick a number between 1 to 500
Guess the number: You win

As it can be seen, in the second case the variable “secret_number” can be directly given as input and the answer is always “You won”. It evaluates the variable as if a number was directly entered, which means it returns a True Boolean always. Using raw_input, would not be possible as it disallows reading the variable directly.

Python 3 shows different results. If “secret_number” is given as input, answer is ‘You lose’.

**Function Name as Parameter

The vulnerability lies here as we can even provide the name of a function as input and access values that are otherwise not meant to be accessed. In this set of input/output, we can see that when we use raw_input, we necessarily have to input the correct number. However while using the input() function, we can even provide the name of a function or variable, and the interpreter will evaluate that. Here for example, the input for input() function has been given as the name of a function ‘secretfunction()’. The interpreter evaluates this function call and returns the secret number that we wish to find and hence our if the condition evaluates to be true, even though we did not enter the secret number.

Python

secret_value = 500

def secretfunction():

`` return secret_value

input1 = raw_input ( "Raw_input(): Guess secret number: " )

if input1 = = secret_value:

`` print "You guessed correct"

else :

`` print "wrong answer"

input2 = input ( "Input(): Guess the secret number: " )

if input2 = = secret_value:

`` print "You guessed correct"

else :

`` print "wrong answer"

**Input1:

400
secretfunction()

**Output1:

Raw_input(): Guess secret number: wrong answer
Input(): Guess the secret number: You guessed correct

As explained in the first point, in this example also we were able to simply enter the variable name ‘secret_number’ in the input for ‘input()’ function and we were able to gain access to the secret value. However, while trying to call secretfunction() in the input for the raw_input() function, it gives us false as the interpreter converts our argument to a string, and doesn’t evaluate it as a function call.

**Input2:

secretfunction()
secret_value

**Output2:

Raw_input(): Guess secret number: wrong answer
Input(): Guess the secret number: You guessed correct

**Preventing Input Vulnerabilities

It is always better to use raw_input() in python 2.x and then explicitly convert the input to whatever type we require. For example, if we wish to take the input of an integer, we can do the following

n = int(raw_input())

This prevents the malicious calling or evaluation of functions.