[mod_python] Re: security issues?

Erik Stephens mod_python at 24ksoftware.com
Thu Mar 25 10:09:03 EST 2004

On Thu, 25 Mar 2004, Stephane Bortzmeyer wrote:

> > Not that I'm aware other than best practices (i.e. keep up-to-date,
> > proper configuration, don't trust user input,
>                         ^^^^^^^^^^^^^^^^^^^^^^
> Speaking of this, I do not find in Python the equivalent of Perl's
> -T switch. It is very useful to limit the risks of user-controlled
> input. Is there something like this in Python?

Doesn't look like there is such a thing.  There seem to be some
feature requests for it, though.  I wonder if there is a simpler way
than having to modify the language.  Perl and Ruby seem to only care
about tainted variables if the context is bad, like when used in a
shell command.  What if CGI script writers would have to untaint all
user inputs up front?  This would make it easier to plumb this feature
in at a higher level, like mod_python, as opposed to the language

Although, now that I think about it, if the taint/untaint interface is
too annoying for programmers, then I'd imagine a lot of people would
ignore it by doing the minimal amount of work to untaint everything.
Maybe that's why the context-sensitive approach is better.  It only
squawks when it has to.

Don't really know what my point is, just random thoughts I guess :)

Best regards,

More information about the Mod_python mailing list