-
Notifications
You must be signed in to change notification settings - Fork 109
Readline string modification
-
Affected Components : readline
-
Operating System : Linux
-
Python Versions : 2.6.x, 2.7.x
-
Reproducible : Yes
import sys
line = sys.stdin.readline()
while (line):
#print(repr(line) + '\n'),
print(repr(line)),
line = sys.stdin.readline()
print("eof")To reproduce the problem copy the source code in a file and execute the script using the following command syntax:
$ python -OOBRtt test.pyAlternatively you can open python in interactive mode:
$ python -OOBRtt <press enter>Then copy the lines of code into the interpreter.
Once the script is loaded type in the following order:
1
Enter
<backspace>
Enter
2
Enter
'
Enter
3
Enter
AAAAAA
Enter
Ctrl-D
With Ctrl-D being my tty's EOF.
Once the script is loaded and characters are interpreted the behaviour will be different from version 2.x to 3.x.
If executed under python 2.6.x or python 2.7.x the result will be the following.
$ python 'test.py'
1
'1\n'
'\n' <--- PROBLEM HERE
'2\n''
"'\n"3
'3\n'AAAAAA
'AAAAAA\n' eofIf executed under python 3.1 or 3.2 the result will be different.
$ python3 'test.py'
1
'1\n'
'\n'
2
'2\n'
'
"'\n"
3
'3\n'
AAAAAA
'AAAAAA\n'
eofPython readline module interpret the strings and in python 2.6 and 2.7 if backspace is used, this changes permanently the starting line and lines are mixed.
Due to the fact that readline interprets the strings it's behaviour changes between python 2.x and 3.x and the returning strings are often modified or munged.
We are not aware on any easy solution other than trying to avoid using 'readline' in cases like the one examined.
[Python readline][01] [01]:https://docs.python.org/2/library/readline.html
[GNU readline][02] [02]:http://cnswww.cns.cwru.edu/php/chet/readline/rltop.html
[Programming with GNU Readline][03] [03]:http://web.mit.edu/gnu/doc/html/rlman_2.html
Main site: pythonsecurity.org
OWASP Page: owasp.org/index.php/OWASP_Python_Security_Project