Readline string modification - ebranca/owasp-pysec GitHub Wiki

• Affected Components : readline

• Operating System : Linux

• Python Versions : 2.6.x, 2.7.x

• Reproducible : Yes

import sys

line = sys.stdin.readline()
while (line):
    #print(repr(line) + '\n'),
    print(repr(line)),
    line = sys.stdin.readline()

print("eof")

To reproduce the problem copy the source code in a file and execute the script using the following command syntax:

$ python -OOBRtt test.py

Alternatively you can open python in interactive mode:

$ python -OOBRtt <press enter>

Then copy the lines of code into the interpreter.

Once the script is loaded type in the following order:

1
Enter
<backspace>
Enter
2
Enter
'
Enter
3
Enter
AAAAAA
Enter
Ctrl-D

With Ctrl-D being my tty's EOF.

Once the script is loaded and characters are interpreted the behaviour will be different from version 2.x to 3.x.

If executed under python 2.6.x or python 2.7.x the result will be the following.

$ python 'test.py' 
1
'1\n' 
 '\n' <--- PROBLEM HERE
 '2\n''
 "'\n"3
 '3\n'AAAAAA
 'AAAAAA\n' eof

If executed under python 3.1 or 3.2 the result will be different.

$ python3 'test.py' 
1
'1\n'

'\n'
2
'2\n'
'
"'\n"
3
'3\n'
AAAAAA
'AAAAAA\n'
eof

Python readline module interpret the strings and in python 2.6 and 2.7 if backspace is used, this changes permanently the starting line and lines are mixed.

Due to the fact that readline interprets the strings it's behaviour changes between python 2.x and 3.x and the returning strings are often modified or munged.

We are not aware on any easy solution other than trying to avoid using 'readline' in cases like the one examined.

[Python readline][01] [01]:https://docs.python.org/2/library/readline.html

[GNU readline][02] [02]:http://cnswww.cns.cwru.edu/php/chet/readline/rltop.html

[Programming with GNU Readline][03] [03]:http://web.mit.edu/gnu/doc/html/rlman_2.html