CGI Tutorial

Steve Holden steve at
Thu Oct 5 20:39:08 CEST 2006

and-google at wrote:
> Clodoaldo Pinto Neto wrote:
>>print '<p>The submited name was "' + name + '"</p>'
> Bzzt! Script injection security hole. See cgi.escape and use it (or a
> similar function) for *all* text -> HTML output.
>>open('files/' + fileitem.filename, 'w')
> BZZZZZZT. filesystem overwriting security hole, possibly escalatable to
> code execution. clue: fileitem.filename= '../../'
Technically this subclass of canonicalization error is known as a 
directory traversal bug.
>>sid = cookie['sid'].value
>>session ='/tmp/.session/sess_' + sid
> Bad filename use allows choice of non-session files, opening with
> shelve allows all sorts of pickle weirdnesses. Just use strings.
>>p = sub.Popen(str_command,
> o.O
> Sure this stuff may not matter for Hello World on a test server, but if
> you're writing a tutorial you should ensure newbies know the Right Way
> to do it from the start. The proliferation of security-oblivious PHP
> tutorials is directly responsible for the disasterous amount of
> script-injection- and SQL-injection-vulnerable webapps out there -
> let's not have the same for Python.

I was teaching this week's class about SQL injection vulnerabilities 
earlier today. One student mentioned estimates that *11%* of all 
Internet web sites are vulnerable to such exploits. Another, a 
policeman, pointed out that he'd had news just today of an injection 
exploit on a major credit card company's web site. The number of credit 
card numbers harvested by the attack has not yet been announced.

Credit card numbers should be encrypted in the database, of course, but 
they rarely are (even by companies whose reputations imply they ought to 
know better).

Yup, in the wacky world of the 21st century web if a thing's worth doing 
it's worth screwing up completely ...

Steve Holden       +44 150 684 7255  +1 800 494 3119
Holden Web LLC/Ltd
Skype: holdenweb
Recent Ramblings

More information about the Python-list mailing list