[mod_python] Pipes and security

Nicolas Lehuen nicolas at lehuen.com
Tue Jul 25 06:35:15 EDT 2006

The problem is not related to the choice of technology. It is about
accepting data from the web and using it in an executable context.

If the command you pass are built from data sent over the web, there is a
chance that some malicious data can execute dangerous code. Therefore, you
have to make sure that any data sent over the web (in forms or query
parameters) is properly escaped when included in executable code (command
line parameters, SQL requests, etc.).

For more information, see the classical "SQL Injection" problem.



2006/7/25, Richard Lewis <richardlewis at fastmail.co.uk>:
> Hi there,
> Just investigating some possible implementation methods.
> Does it pose a security risk in mod_python to do this sort of thing:
> def handler(req):
>   # code is from memory so may not be correct
>   # but its the idea thats important ;-)
>   i, o = os.popen2("cmd")
>   i.write("some data")
>   i.close()
>   req.write(o.read())
>   o.close()
> I don't really understand it properly, but I've read before now that using
> pipes to execute shell commands from CGI scripts can be insecure. Does the
> same apply with Apache modules like mod_python?
> Cheers,
> Richard
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Richard Lewis
> Sonic Arts Research Archive
> http://www.sara.uea.ac.uk/
> JID: ironchicken at jabber.earth.li
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20060725/7a13ce57/attachment.html

More information about the Mod_python mailing list