John Ward
jbward at berkeley.edu
Mon Jan 3 15:53:40 EST 2005
Hi Jorey, Thanks for the reply. This information is helpful. I wasn't familiar with the 'sets' module so I'll take a look at it. Thanks again. John At 11:20 AM 12/29/2004 -0500, Jorey Bump wrote: >John Ward wrote: > >>1. With mod_python, do I no longer have to worry about limiting the path >>available to the script? (I do my best to maintain an appropriate level >>of paranoia, so one thing I'd like to learn is what security mod_python >>handles for me and what security I need to write into my scripts.) > >Frankly, I'd leave the path alone. Depending on your environment, it could >affect other users or applications. For example, if I set the environment >path using mod_python in a virtual host, it also changes the path for perl >CGI scripts, where the correct path is more likely to matter. It may seem >fine in an environment you control, but makes your application less >portable. If you must use popen, set up a variable that contains the >complete path to your binary, and change that when you deploy it >somewhere else. With that said, your mod_python applications will have the >same rights as the apache user, so plan accordingly. > >For mod_python newbies, here's a simple module to show your path, using >the publisher handler: > ># path.py >import os > >def show(req): > # uncomment to set path > # os.environ['PATH'] = '/usr/bin:/bin' > return os.environ['PATH'] > >Access it via http://host/path.py/show > >>2. How do mod_python programmers typically handle sanitizing form input? > >For me, this depends on the intended use of the data, and also partly on >the version of python. For simple validation, I might turn the input into >a list and check the members for illegal characters. The sets module >introduced in python 2.3 is now a built-in in 2.4, making this a trivial >task. But if your application might run under older versions of python, >you'll have to use something a bit more universal. > >For database input, I use placeholders, somewhere along these lines: > > query = """INSERT INTO users ( name, quest ) VALUES ( %s, %s )""" > cursor = dbh.cursor() > cursor.execute(query, (req.formdata['name'], req.formdata['quest'])) > >Note that this is *not* typical python string replacement. This construct >allows you to send any VALUE string to the database, with necessary >escapes inserted behind the scenes. It's very handy. You are encouraged to >find out more about python and placeholders for your db and test it on >your platform (I found a lot of misleading info, but the form above works >best for me when using MySQLdb). > >>3. Assuming one has an SMTP server listening on localhost, what is the >>recommended way to add messages to the mail queue? > >I prefer smtplib because it's portable, powerful, and offers excellent >error handling. Of course, if you want the message queued instead of sent >immediately, you'll need to configure your SMTP daemon to do so. You could >do this for the MSA on port 587 to avoid running a separate instance. > >>4. When writing CGI scripts in Perl using CGI.pm, one has the option of >>limiting the size of POSTs by setting a value for the '$MAX_POST' >>variable. Is there a way to do this using mod_python? Or is this even >>something I need to worry about? > >I haven't run into a need for this, but I do have some textarea form >inputs that I'm concerned about, so I'd be interested if this is possible, >as well. > > >_______________________________________________ >Mod_python mailing list >Mod_python at modpython.org >http://mailman.modpython.org/mailman/listinfo/mod_python
|