[Python-bugs-list] [ python-Bugs-832515 ] Bad Security Advice in
CGI Documentation
SourceForge.net
noreply at sourceforge.net
Sun Nov 2 11:31:51 EST 2003
Bugs item #832515, was opened at 2003-10-29 18:20
Message generated for change (Comment added) made by aleax
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=832515&group_id=5470
Category: Documentation
>Group: Python 2.3
>Status: Closed
>Resolution: Fixed
Priority: 5
Submitted By: Matt Steven (mr_perl)
>Assigned to: Alex Martelli (aleax)
Summary: Bad Security Advice in CGI Documentation
Initial Comment:
/usr/share/doc/python-docs-2.2.3/html/lib/node305.html
Contains the suggestion:
"When reading or writing external files, make sure they
can be read or written by every user on the system."
This is terrible advice, suggesting you make all your
files 777.
This line should be removed, or replaced with something
like
"When reading or writing external files, make sure they
can be read or written by the web server or appropriate
suexec UID"
----------------------------------------------------------------------
>Comment By: Alex Martelli (aleax)
Date: 2003-11-02 17:31
Message:
Logged In: YES
user_id=60314
The advice as given is indeed bad security. I have replaced it with:
\item When reading or writing external files, make sure they can be
read or written by the userid under which your CGI script will be
running: this is typically the userid under which the web server is
running, or some explicitly specified userid for a web server's
\samp{suexec} feature.
and committed the change on the 2.3 branch on CVS.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=832515&group_id=5470
More information about the Python-bugs-list
mailing list