[mod_python] Pipes and security

Nicolas Lehuen nicolas at lehuen.com
Tue Jul 25 06:46:47 EDT 2006 

As an example in your context, imagine a stupid way of serving files (the
code is obviously false but I just want to show you the problem) :

def serve_file(req,filename):
    i, o = os.popen("sh")
    i.write("cat %s"%filename)
    i.close()
    req.write(o.read())
    o.close()

then calling http://myserver/stupid.py/serve_file?filename=foobar.txt would
work correctly.

Now if someone calls
http://myserver/stupid.py/serve_file?filename=foobar.txt%3Brm+-Rf+%2F ,
you've got a big problem because the command will be "cat foobar.txt;rm -Rf
/", displaying the content of foobar.txt THEN erasing all your server's main
partition...

Therefore, you must transform the input string, escaping it to make sure
that this cannot happen. It turns out doing it properly and securely is
quite difficult, so you'd better find another way of doing what you need.
For example, SQL injection is most easily fought by using prepared statement
with placeholders. As for your problem, well, it depends on what you want to
do.

Regards,
Nicolas

2006/7/25, Nicolas Lehuen <nicolas at lehuen.com>:
>
> The problem is not related to the choice of technology. It is about
> accepting data from the web and using it in an executable context.
>
> If the command you pass are built from data sent over the web, there is a
> chance that some malicious data can execute dangerous code. Therefore, you
> have to make sure that any data sent over the web (in forms or query
> parameters) is properly escaped when included in executable code (command
> line parameters, SQL requests, etc.).
>
> For more information, see the classical "SQL Injection" problem.
>
> http://en.wikipedia.org/wiki/SQL_injection
>
> Regards,
> Nicolas
>
> 2006/7/25, Richard Lewis <richardlewis at fastmail.co.uk>:
>
> > Hi there,
> >
> > Just investigating some possible implementation methods.
> >
> > Does it pose a security risk in mod_python to do this sort of thing:
> >
> > def handler(req):
> >   # code is from memory so may not be correct
> >   # but its the idea thats important ;-)
> >   i, o = os.popen2("cmd")
> >   i.write("some data")
> >   i.close()
> >
> >   req.write(o.read())
> >   o.close()
> >
> > I don't really understand it properly, but I've read before now that
> > using
> > pipes to execute shell commands from CGI scripts can be insecure. Does
> > the
> > same apply with Apache modules like mod_python?
> >
> > Cheers,
> > Richard
> > --
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > Richard Lewis
> > Sonic Arts Research Archive
> > http://www.sara.uea.ac.uk/
> > JID: ironchicken at jabber.earth.li
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > _______________________________________________
> > Mod_python mailing list
> > Mod_python at modpython.org
> > http://mailman.modpython.org/mailman/listinfo/mod_python
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20060725/d6e1b296/attachment.html

More information about the Mod_python mailing list