5.2.1. Formatting Strings

In Python, there are two ways to format strings. In lower versions of Python2, the format string is "this is a %s" % "test", and then the format is added. The syntax is "this is a {}".format('test') or "this is a {test}".format(test='test')

When the format string is entered by the user, it can cause some problems, the following is the simplest example:

>>> 'class of {0} is {0.__class__}'.format(42)
"class of 42 is <class 'int'>"

From the above simple example, it is not difficult to know that when we can control the string to be formatted, we can use __init__ / __globals__ etc attributes to read some more sensitive values, and even execute code arbitrarily.