list at joreybump.com
Wed Dec 29 11:20:56 EST 2004
John Ward wrote: > 1. With mod_python, do I no longer have to worry about limiting the path > available to the script? (I do my best to maintain an appropriate level > of paranoia, so one thing I'd like to learn is what security mod_python > handles for me and what security I need to write into my scripts.) Frankly, I'd leave the path alone. Depending on your environment, it could affect other users or applications. For example, if I set the environment path using mod_python in a virtual host, it also changes the path for perl CGI scripts, where the correct path is more likely to matter. It may seem fine in an environment you control, but makes your application less portable. If you must use popen, set up a variable that contains the complete path to your binary, and change that when you deploy it somewhere else. With that said, your mod_python applications will have the same rights as the apache user, so plan accordingly. For mod_python newbies, here's a simple module to show your path, using the publisher handler: # path.py import os def show(req): # uncomment to set path # os.environ['PATH'] = '/usr/bin:/bin' return os.environ['PATH'] Access it via http://host/path.py/show > 2. How do mod_python programmers typically handle sanitizing form input? For me, this depends on the intended use of the data, and also partly on the version of python. For simple validation, I might turn the input into a list and check the members for illegal characters. The sets module introduced in python 2.3 is now a built-in in 2.4, making this a trivial task. But if your application might run under older versions of python, you'll have to use something a bit more universal. For database input, I use placeholders, somewhere along these lines: query = """INSERT INTO users ( name, quest ) VALUES ( %s, %s )""" cursor = dbh.cursor() cursor.execute(query, (req.formdata['name'], req.formdata['quest'])) Note that this is *not* typical python string replacement. This construct allows you to send any VALUE string to the database, with necessary escapes inserted behind the scenes. It's very handy. You are encouraged to find out more about python and placeholders for your db and test it on your platform (I found a lot of misleading info, but the form above works best for me when using MySQLdb). > 3. Assuming one has an SMTP server listening on localhost, what is the > recommended way to add messages to the mail queue? I prefer smtplib because it's portable, powerful, and offers excellent error handling. Of course, if you want the message queued instead of sent immediately, you'll need to configure your SMTP daemon to do so. You could do this for the MSA on port 587 to avoid running a separate instance. > 4. When writing CGI scripts in Perl using CGI.pm, one has the option of > limiting the size of POSTs by setting a value for the '$MAX_POST' > variable. Is there a way to do this using mod_python? Or is this even > something I need to worry about? I haven't run into a need for this, but I do have some textarea form inputs that I'm concerned about, so I'd be interested if this is possible, as well.