Python CGI security
Moshe Zadka
moshez at math.huji.ac.il
Mon Jul 3 08:53:49 EDT 2000
On Mon, 3 Jul 2000, Michael [iso-8859-1] Ströder wrote:
> Note that I only posted *excerpts* of the ITS4 output. Feel free to
> ask if you want the whole output by e-mail (approx. 1000 lines with
> a lot of repeated messages).
>
> > There are a few types of "potential security holes":
> >
> > -- exposing insecure parts of the API, such as os.system(). These should
> > stay, since the user should have those at his disposale
>
> Would it be possible to provide a secure version in the Python lib
> of e.g. os.system() with same function parameters but less unsecure
> behaviour instead of just wrapping it 1:1?
no: the insecurities are there for a reason: they give more power for
local applications
Please send to me (personally!) the whole output. I'll have a look at it
and try to summarize it.
--
Moshe Zadka <moshez at math.huji.ac.il>
There is no GOD but Python, and HTTP is its prophet.
More information about the Python-list
mailing list