-
Notifications
You must be signed in to change notification settings - Fork 108
Numeric literal and whitespaces
-
Affected Components : builtin
-
Operating System : Linux
-
Python Versions : 2.6.x, 2.7.x
-
Reproducible : Yes
try:
x = int('+ 0')
print """OK: int('+ 0') - string converted"""
except Exception as e:
print """KO: int('+ 0') - string not converted raise Error: """ + repr(e,)
try:
y = float('+0.0')
print """OK: float('+0.0') - string converted"""
except Exception as e:
print """KO: float('+0.0') - string not converted raise Error: """ + repr(e,)
try:
z = float('+ 0.0')
print """OK: float('+ 0.0') - string converted"""
except Exception as e:
print """KO: float('+ 0.0') - string not converted raise Error: """ + repr(e,)
try:
a = int('2 3')
print """OK: int('2 3') - string converted"""
except Exception as e:
print """KO: int('2 3') - string not converted raise Error: """ + repr(e,)
try:
import string
b = string.atof("-2")
print """OK: string.atof("-2") - string converted"""
except Exception as e:
print """KO: string.atof("-2") - string not converted raise Error: """ + repr(e,)
try:
import string
c = string.atof("- 2")
print """OK: string.atof("- 2") - string converted"""
except Exception as e:
print """KO: string.atof("- 2") - string not converted raise Error: """ + repr(e,)To reproduce the problem copy the source code in a file and execute the script using the following command syntax:
$ python -OOBRtt test.pyAlternatively you can open python in interactive mode:
$ python -OOBRtt <press enter>Then copy the lines of code into the interpreter.
Tests using Python 2.6 generated the following results:
- OK: int('+ 0') - string converted
- OK: float('+0.0') - string converted
- KO: float('+ 0.0') - string not converted raise Error: ValueError('invalid literal for float(): + 0.0',)
- KO: int('2 3') - string not converted raise Error: ValueError("invalid literal for int() with base 10: '2 3'",)
- OK: string.atof("-2") - string converted
- KO: string.atof("- 2") - string not converted raise Error: ValueError('invalid literal for float(): - 2',)
And tests using Python 2.7 generated the following results:
- OK: int('+ 0') - string converted
- OK: float('+0.0') - string converted
- KO: float('+ 0.0') - string not converted raise Error: ValueError('could not convert string to float: + 0.0',)
- KO: int('2 3') - string not converted raise Error: ValueError("invalid literal for int() with base 10: '2 3'",)
- OK: string.atof("-2") - string converted
- KO: string.atof("- 2") - string not converted raise Error: ValueError('could not convert string to float: - 2',)
In python whitespace between sign and digits should be always discarded but is not the case as the behaviour changes depending on the object type.
For numbers expressed as int whitespace is discarded while for numbers expressed as float whitespace is NOT discarded.
Also to note that whitespace between integers like (2 3) never works regardless of the object type.
We are not aware on any easy solution other than trying to avoid using numeric literals for cases like the one examined, instead the code should handle specific implementation and stripe leading and trailing whitespaces and unprintable characters by default.
[Python builtin types][01] [01]:https://docs.python.org/2/library/stdtypes.html
[Python builtin functions][02] [02]:https://docs.python.org/2/library/functions.html
[Python bug 14252][03] [03]:http://bugs.python.org/issue620181
Main site: pythonsecurity.org
OWASP Page: owasp.org/index.php/OWASP_Python_Security_Project