Jpython

Wang Wei weiwa592 at student.liu.se
Mon Jun 12 10:47:34 EDT 2000 

Hi,
I want to implement my project of Unix progress monitor in Jpython or
Java with python. Please kindly send me some examples code so that I can
refer to and read to study the ender's language.

Thank you
!

WW

Return-Path: <moeller at dophnic.yi.org>
Delivered-To: python-list at python.org
Received: from dophnic.yi.org (P11-cj17.cjnetworks.com [199.240.71.162])
	by dinsdale.python.org (Postfix) with ESMTP id B5BC11CE74
	for <python-list at python.org>; Sun, 11 Jun 2000 21:28:23 -0400 (EDT)
Received: from moeller by dophnic.yi.org with local (Exim 3.12 #1 (Debian))
	id 131J1b-0003gw-00
	for <python-list at python.org>; Sun, 11 Jun 2000 20:28:23 -0500
Date: Sun, 11 Jun 2000 20:27:28 -0500
To: Toy <gee308 at mediaone.net>
Subject: Re: quick newbie question on variables. please answer
Message-ID: <20000611202728.C13539 at dophnic.yi.org>
References: <39401B5F.122C6DB4 at mediaone.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <39401B5F.122C6DB4 at mediaone.net>; from gee308 at mediaone.net on Thu, Jun 08, 2000 at 09:56:35PM +0000
Resent-From: moeller at dophnic.yi.org
Resent-Date: Sun, 11 Jun 2000 20:28:23 -0500
Resent-To: python-list at python.org
Resent-Message-Id: <E131J1b-0003gw-00 at dophnic.yi.org>
Sender: python-list-admin at python.org
Errors-To: python-list-admin at python.org
X-BeenThere: python-list at python.org
X-Mailman-Version: 2.0beta3
Precedence: bulk
List-Id: General discussion list for the Python programming language <python-list.python.org>

On Thu, Jun 08, 2000 at 09:56:35PM +0000, Toy wrote:
> Im a programming newbie, so most of these concepts are basic to me.  I'm
> trying to write really basic  CGI programs just to get started.  How
> would I pass a text variable that a user entered to find a man page for
> a tool?  This is the code I wrote (startx is just a command I wrote in,
> but how would I write it so any tool could be inputed) the 3rd line od
> code is written wrong for sure:
> 
> #!/usr/bin/python
> import commands
> b = commands.getstatusoutput('man %x!') % startx
> print = b
> 
>   I know that this is a real basic question, but I am 100% new to
> programming and I am self teaching.  Also, are ther large security risks
> if this program is on a web server(if so, how could I fix it?)?  Thanks
> for your time in advance.
> 

Yes, there is a security risk with this. For example, what if someone wrote
(for the variable) '""; cat /etc/passwd'? The shell would first execute
'man ""', and then after that it would execute 'cat /etc/passwd'. Then the
site user has instant knowledge of all users on the system. That's just
a minor example, of course, it can get much worse if the user running the
script has any priviledges. One way of dealing with this is sanitizing
the input, ie, strip pretty much anything except alphanumeric characters.
Also, make sure the script is run with very limited permissions. Those
are the basics, some other people may have more suggestions or better ways
to do the above.

And limit the variable length. Don't want some 'man' buffer overflow causing
you problems (and limit the length in python, as html-enforced limits can
be easily overridden).

-- 
Derek Moeller

         /"\
         \ /     ASCII Ribbon Campaign
          X      Against HTML Mail
         / \

More information about the Python-list mailing list