[Tutor] [OT] Secure coding guidelines
Lie Ryan
lie.1296 at gmail.com
Sun Oct 11 18:23:41 CEST 2009
Didar Hossain wrote:
> Hi,
>
> This is a little off-topic, but, I though I might put this question in.
>
> Since I am learning Python, I was wondering if there are any good
> references on secure
> coding practices. Books, guides or even any howtos would suffice.
>
> Security seems to be almost always an after-thought rather than being
> ingrained into
> any course that I have come across including the ones that they have
> in college degrees.
>
> If this question is inappropriate for this list then please let me
> know and accept my apologies
> (EAFP) ;-)
Common tips for python:
1. Don't trust the user! Any data from raw_input() (py2.x) or input()
(py3.x), etc must be validated.
2. Don't trust files! Data coming from open(), urlopen(), etc must go
through the same rigorous process as user input.
3. Use extreme caution when dynamically generating code. This includes
python's built-in eval/exec, SQL statements, shell call, etc. Prefer APIs.
4. In some cases, don't trust the environment! A malicious user or virus
could attach themselves to the OS's stdin/stdout/file-read/write/shell.
(Don't take this seriously, a program with no input and no output is a
waste of space and time)
5. In extreme situation, don't even trust external modules or even the
standard library.
6. And finally, in any case, don't assume that Guido don't have a hidden
agenda.
More information about the Tutor
mailing list