Secure Python code - volunteers for code review?

Andrew Clover and-google at doxdesk.com
Wed Oct 13 17:05:56 CEST 2004


Josiah Carlson <jcarlson at uci.edu> wrote:

> Either way, unencoded/unprepared data may bork you.

Indeed, but I don't see any of that in a quick flick through Andrew's
code. All the literal values are getting passed through the standard
DBAPI substitution layer, so should be completely safe.

The only thing I noticed just briefly looking at it was the call to
os.popen with command '"antiword " + fn'. Creating system commands by
simple string concatenation is v. dodgy.

It turns out in this case that 'fn' is coming directly from
tempfile.mkstemp so there probably isn't going to be a security issue
in practice, but depending on the path of the temp directory and what
characters are escapes I guess this could fail on some platforms, or
something. In any case it makes me feel uneasy. :-)

Of course, Andrew will also have to be sure that there are no buffer
overflows or other issues in the 'antiword' program that could allow a
maliciously-crafted .doc file to execute arbitrary code.

-- 
Andrew Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/



More information about the Python-list mailing list