cgi security

Sheila King sheila at spamcop.net
Wed Apr 4 02:16:53 EDT 2001 

On Tue, 3 Apr 2001 08:59:09 +0100, Robin Becker <robin at jessikat.fsnet.co.uk>
wrote in comp.lang.python in article <CnJ4eIANLYy6Ewi7 at jessikat.fsnet.co.uk>:

:Are there any possible break ins in lib/cgi.py that someone malicious
:could exploit? The classic exploits seem quite hard to find in python
:code unless people start using fixed length buffers etc, but are there
:other opportunities (perhaps more pythonic)?

I'm quite interested in the topic of cgi security myself, lately. I'm working
on a script that I will probably release, and I want to cross my t's and dot
my i's.

Browsing the web and researching this topic a bit, it seems that a primary
rule, is to CHECK ALL USER INPUT. Or at least, don't make it possible for
system calls to use user input.

I'm writing a form-mail script, and I have two questions right now:

(1) I have my script use the rfc822 module to assemble my e-mail message. The
rfc822 already has some functions for dealing with e-mail message headers. For
instance, it has functions that will search for a particular header-field by
name (such as "To"), and return the addresses in that field.

One thing, that seems to be important (?) is to check that at least the e-mail
addresses input by users are in the correct e-mail format.

I was looking at the rfc822 module code a bit tonight, and I'm thinking:
Is this really going to that much trouble, to assure that the addresses are in
proper format, or is it just accepting that the input is probably not error
ridden? (After all, that module is written for parsing supposedly rfc 822
compliant email...not really for security checks.) I was wondering, if I
should incorporate the regex recommended here:
http://www.aota.net/ubb/Forum17/HTML/000043-1.html

(It looks horrible, and I don't really "get" regular expressions. I understand
the basic concept of a regex ok, but have always avoided working with them.
They've never been necessary for anything I've had to do.)

(2) I'm trying to write my script so that is can use either sendmail, if
available, or else the smtplib module. The smtplib module already bombs if it
gets a badly formatted mail, so I'm not too worried about that. I guess, one
has to be careful on unix-type systems, because the devices and programs are
basically accessed by "opening a file", and if 

text

is the identifier pointing to a supposedly properly formatted email that I
want to send

and

PathToSENDMAIL is a identifier pointing to a string with the path to sendmail,
then I can send a message as follows:

f = open(PathToSENDMAIL + ' -t', 'w')
f.write(text)
f.close()

I'm thinking this should be fairly secure, since sendmail has already been
told that the "text" that is coming next is a message, and not something that
could possibly be executed?

I suppose if I don't want that to bomb, I need to carefully check the composed
message and make sure that it is formatted correctly?

Thanks for any help,

--
Sheila King
http://www.thinkspot.net/sheila/
http://www.k12groups.org/

More information about the Python-list mailing list