Python scripts in IIS

Andrew Clover and-google at doxdesk.com
Thu Feb 26 10:47:14 CET 2004


Robert Brewer <fumanchu at amor.org> wrote:

>> Note: you really want -
>>    ...python.exe -u %s %s

(Note to self and Google: you *really* want:

  ...python.exe -u "%s" %s

just in case the filename has space characters in.)

> What you *really* want ;) is to avoid allowing users to pass arbitrary
> strings on the command line, which is what happens with this technique.

? IIS passes arbitrary strings, not the user. Of course the 'check
file exists' option should be set to avoid parameter injection, but
that's common sense, and the IIS5 default.

> You should seriously look into ASP, mod python, or some other means of
> more safely connecting python to a web server.

I can't agree with this at all. CGI is the only standard we can
currently use to write cross-platform scripts. ASP is fine if you want
to be locked to IIS; coding to mod_python limits you to Apache.

CGI is also a well-understood protocol with widely-used implementations.
mod_python, judging by the recent repeated appearance of security
problems, is not yet at quite this level of maturity. Writing secure
web applications is an issue in itself, without having to worry about
whether your application server/interfacing layer is going to let you
down.

Yes, CGI is slow, and it does have a few practical problems in the area
of HTTP Authentication. But until WEB-SIG comes up with a standard
webapp encapsulation interface it's the only write-once-run-anywhere
standard we've got. I'm not saying that ASP or mod_python are unworthy
technologies, but choosing one of them will tie your subsequent choices
a tad. Convenience is a good reason for choosing either of them over
CGI; security is not.

-- 
Andrew Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/



More information about the Python-list mailing list