[Edu-sig] Simplest webapps
Wes Turner
wes.turner at gmail.com
Sat Mar 31 20:20:57 EDT 2018
Web programming is fun but dangerous.
Things as simple as 'it reads a file off the disk and sends it to the user'
can unintentionally expose every readable file to whoever or whatever can
access localhost.
```python
os.path.join('here', '/etc/shadow')
path = 'here/' + '../../../../etc/shadow'
```
All of the examples in this thread are susceptible to XSS (Cross Site
Scripting) and CSRF (Cross-site Request Forgery). Don't feel bad; many
college web programming courses teach dangerous methods, too.
XSS:
```
x = """</body><script>alert('download_mining_script()')</script>"""
return f'<html><body>{x}'
"""
Bottle has multiple templating engines which escape user-supplied input (in
order to maintain a separation between data and code).
Like XSS, SQLi is also a 'code injection' issue. pypi:Records can use
SQLAlchemy. Django is a great framework with a built-in ORM that also
escapes SQL queries.
CSRF:
- X posts an XSS to site A that POSTs to site B
- 100 users view site A
- [...]
http://bottle-utils.readthedocs.io/en/latest/csrf.html
https://bottlepy.org/docs/dev/tutorial.html#html-form-handling
OWASP has a lot of information on WebSec:
OWASP Top 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
The OWASP Vulnerable Web Applications Directory Project (VWAD)
https://github.com/OWASP/OWASP-VWAD
Any program or user on the system can read and write to localhost.
On Saturday, March 31, 2018, Wes Turner <wes.turner at gmail.com> wrote:
> Bottle is a single file web microframework.
>
> https://github.com/bottlepy/bottle
> https://github.com/bottlepy/bottle/blob/master/bottle.py
>
> > Example: "Hello World" in a bottle
>
> ```python
> from bottle import route, run, template
>
> @route('/hello/<name>')
> def index(name):
> return template('<b>Hello {{name}}</b>!',
> name=name)
>
> run(host='localhost', port=8080)
> ```
>
> There are docs and every function is Ctrl-F'able within bottle.py.
>
> On Friday, March 30, 2018, kirby urner <kirby.urner at gmail.com> wrote:
>
>>
>> Very interesting. I note that free users are relegated to Python 2.7
>>
>> Server modules can be Python 3.6 (outside the free version)
>>
>> Client stuff compiles to JavaScript and is approximately 2.7
>>
>> That's a bit confusing maybe. I try to avoid 2.7 but that's not easy.
>>
>> In my Coding with Kids work, we use Codesters.com to teach Python, which
>> depends on Skulpt. Also 2.x ish.
>>
>> Kirby
>>
>>
>>
>> On Fri, Mar 30, 2018 at 11:49 AM, Jason Blum <jason.blum at gmail.com>
>> wrote:
>>
>>> http://anvil.works/ is a pretty interesting approach to Python web
>>> applications.
>>>
>>> On Fri, Mar 30, 2018 at 2:05 PM, kirby urner <kirby.urner at gmail.com>
>>> wrote:
>>>
>>>>
>>>> Hi Aivar --
>>>>
>>>> I think it's a fine idea to write simple Python scripts that write HTML
>>>> files, which you may then pull up in the browser.
>>>>
>>>> There's no need to put a server behind static web pages. So, for
>>>> example, I'll have my students write a page of bookmarks:
>>>>
>>>> # -*- coding: utf-8 -*-
>>>> """
>>>> Created on Wed Nov 4 18:02:30 2015
>>>>
>>>> @author: Kirby Urner
>>>> """
>>>>
>>>> # tuple of tuples
>>>> bookmarks = (
>>>> ("Anaconda.org", "http://anaconda.org"),
>>>> ("Python.org", "http://python.org"),
>>>> ("Python Docs", "https://docs.python.org/3/"),
>>>> ("Spaghetti Code", "http://c2.com/cgi/wiki?SpaghettiCode"),
>>>> ("Structured Programming", "http://c2.com/cgi/wiki?Struct
>>>> uredProgramming"),
>>>> ("Map of Languages", "http://archive.oreilly.com/pu
>>>> b/a/oreilly//news/languageposter_0504.html"),
>>>> ("XKCD", "http://xkcd.com"),
>>>> )
>>>>
>>>> page = '''\
>>>> <!DOCTYPE HTML>
>>>> {}
>>>> '''
>>>>
>>>> html = """\
>>>> <HTML>
>>>> <HEAD>
>>>> <TITLE>Bookmarks for Python</TITLE>
>>>> </HEAD>
>>>> <BODY>
>>>> <H3>Bookmarks</H3>
>>>> <BR />
>>>> <UL>
>>>> {}
>>>> </UL>
>>>> </BODY>
>>>> </HTML>
>>>> """.lower()
>>>>
>>>> the_body = ""
>>>> for place, url in bookmarks:
>>>> the_body += "<li><a href='{}'>{}</a></li>\n".format(url, place)
>>>>
>>>> webpage = open("links.html", "w")
>>>> print(page.format(html.format(the_body)), file=webpage)
>>>> webpage.close()
>>>>
>>>> All you need add to your example is using print() to save to a file, so
>>>> the browser has something to open.
>>>>
>>>> I would not call this a "web app" yet it's instructive in showing how
>>>> Python can write HTML files.
>>>>
>>>> Kirby
>>>>
>>>>
>>>>
>>>> On Wed, Mar 28, 2018 at 12:18 AM, Aivar Annamaa <aivar.annamaa at ut.ee>
>>>> wrote:
>>>>
>>>>> Hi!
>>>>> Let's say my students are able to write programs like this:
>>>>>
>>>>> name = input("name")
>>>>>
>>>>> if name == "Pete":
>>>>> greeting = "Hi"
>>>>> else:
>>>>> greeting = "Hello!"
>>>>>
>>>>> print(f"""
>>>>> <html>
>>>>> <body>
>>>>> {greeting} {name}!
>>>>> </body>
>>>>> </html>
>>>>> """)
>>>>>
>>>>> I'd like to allow them start writing web-apps without introducing
>>>>> functions first (most web-frameworks require functions).
>>>>>
>>>>> It occurred to me that it's not hard to create a wrapper, which
>>>>> presents this code as a web-app (input would be patched to look up
>>>>> GET or POST parameters with given name).
>>>>>
>>>>> This approach would allow simple debugging of the code on local
>>>>> machine and no extra libraries are required in this phase.
>>>>>
>>>>> Any opinions on this? Has this been tried before?
>>>>>
>>>>> best regards,
>>>>> Aivar
>>>>>
>>>>> _______________________________________________
>>>>> Edu-sig mailing list
>>>>> Edu-sig at python.org
>>>>> https://mail.python.org/mailman/listinfo/edu-sig
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Edu-sig mailing list
>>>> Edu-sig at python.org
>>>> https://mail.python.org/mailman/listinfo/edu-sig
>>>>
>>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/edu-sig/attachments/20180331/f7486d8f/attachment.html>
More information about the Edu-sig
mailing list