CGI Tutorial
and-google at doxdesk.com
and-google at doxdesk.com
Thu Oct 5 14:00:57 EDT 2006
Clodoaldo Pinto Neto wrote:
> print '<p>The submited name was "' + name + '"</p>'
Bzzt! Script injection security hole. See cgi.escape and use it (or a
similar function) for *all* text -> HTML output.
> open('files/' + fileitem.filename, 'w')
BZZZZZZT. filesystem overwriting security hole, possibly escalatable to
code execution. clue: fileitem.filename= '../../something.py'
> sid = cookie['sid'].value
> session = shelve.open('/tmp/.session/sess_' + sid
Bad filename use allows choice of non-session files, opening with
shelve allows all sorts of pickle weirdnesses. Just use strings.
> p = sub.Popen(str_command,
o.O
Sure this stuff may not matter for Hello World on a test server, but if
you're writing a tutorial you should ensure newbies know the Right Way
to do it from the start. The proliferation of security-oblivious PHP
tutorials is directly responsible for the disasterous amount of
script-injection- and SQL-injection-vulnerable webapps out there -
let's not have the same for Python.
--
And Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/
More information about the Python-list
mailing list