[FRPythoneers] Python CGI & Security

Evelyn Mitchell efm at tummy.com
Tue Jul 9 21:06:52 MDT 2002


The best article on cgi security is still Lincoln Stein's 
http://www.w3.org/Security/Faq/

The whole thing is worth reading, but the section on CGI can be found
at:

http://www.w3.org/Security/Faq/wwwsf4.html

"#  Never, never, never  pass unchecked remote user input to a shell
command."

We'd be happy to look at the code, if you can show it to us.

Evelyn
* On 2002-07-10 02:50 Matt Gushee <mgushee at havenrock.com> wrote:
> Hi, folks--
> 
> I've developed a simple web site for a group I'm involved with. It's
> mostly static, but needs a formmail-type CGI script. I downloaded the
> simplest one I found on the Web, which was Lars Marius Garshol's
> 'formmail.py', but I ended up mostly rewriting it to remove some
> unneeded functionality (like binary file upload) and add some validation
> functions.
> 
> Anyway, it's been several years since I've done anything with CGI, and
> actually have never used Python for CGI at all. So I'm just wondering if
> there are any security issues I should know about related to the
> particular Python libraries I'm using. Here's what my script imports:
> 
>     cgi, StringIO, string, smtplib, sys, re, MimeWriter
> 
> Thanks for your tips!
> -- 
> Matt Gushee
> Englewood, Colorado, USA
> mgushee at havenrock.com
> http://www.havenrock.com/
> _______________________________________________
> This message sent by the FRPythoneers mailing list.
> Unsubscribe: echo unsubscribe | FRPythoneers-request at lists.community.tummy.com
> URL: http://lists.community.tummy.com/mailman/listinfo/frpythoneers

-- 
Regards,                    tummy.com, ltd 
Evelyn Mitchell             Linux Consulting since 1995
efm at tummy.com               Senior System and Network Administrators
                            http://www.tummy.com/



More information about the FRPythoneers mailing list