how safe is Python for CGI?
William
wilk-spamout at flibuste.net
Tue Oct 8 06:12:13 EDT 2002
"DG" <david at fielden.com.au> writes:
> Greetings,
>
> I am thinking about using Python's CGI capabilities to write some simple web
> front ends to a database. The web server is running apache under Linux,
> Python 2.2.1.
>
> How secure is Python for this? For example, it seems that I will need to
> put the database path, username and password into the database connect()
> line in the cgi-bin script, is it possible for someone to download the
> script from the cgi-bin directory without running it, and then inspect the
> source to find the database path/user/pass?
>
> What are common Python practices to circumvent this, if it is a problem?
>
> Are there any other gotchas to this sort of script?
It's not a specific problem of python. You must configure apache to
don't let people see your script.
Also it's better to put your critical data outside the directory of
your webserver. And you access theses data by an import
/home/you/www/yoursite
/home/you/data/yourdata
an other things it's to don't let people see the traceback, catch all
the errors.
be careful of the parameters you pass (that everybody will see and will
be logged) and cookie you use.
bye
--
William Dodé - flibuste.net
http://wikipython.tuxfamily.org
More information about the Python-list
mailing list