|
Nicolas Lehuen
nicolas at lehuen.com
Tue Jul 25 06:35:15 EDT 2006
The problem is not related to the choice of technology. It is about accepting data from the web and using it in an executable context. If the command you pass are built from data sent over the web, there is a chance that some malicious data can execute dangerous code. Therefore, you have to make sure that any data sent over the web (in forms or query parameters) is properly escaped when included in executable code (command line parameters, SQL requests, etc.). For more information, see the classical "SQL Injection" problem. http://en.wikipedia.org/wiki/SQL_injection Regards, Nicolas 2006/7/25, Richard Lewis <richardlewis at fastmail.co.uk>: > > Hi there, > > Just investigating some possible implementation methods. > > Does it pose a security risk in mod_python to do this sort of thing: > > def handler(req): > # code is from memory so may not be correct > # but its the idea thats important ;-) > i, o = os.popen2("cmd") > i.write("some data") > i.close() > > req.write(o.read()) > o.close() > > I don't really understand it properly, but I've read before now that using > pipes to execute shell commands from CGI scripts can be insecure. Does the > same apply with Apache modules like mod_python? > > Cheers, > Richard > -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Richard Lewis > Sonic Arts Research Archive > http://www.sara.uea.ac.uk/ > JID: ironchicken at jabber.earth.li > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > _______________________________________________ > Mod_python mailing list > Mod_python at modpython.org > http://mailman.modpython.org/mailman/listinfo/mod_python > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20060725/7a13ce57/attachment.html
|