Python CGI Script

Steve Holden steve at holdenweb.com
Sun Oct 2 05:43:58 EDT 2005 

Efrat Regev wrote:
>      Hello,
> 
>      I'm a data-structures course TA trying to write a python CGI script 
> for automatically compiling and testing students' projects. 
> Unfortunately, I've run into some questions while writing this, which I 
> couldn't solve with the various (and helpful) python-CGI documentation. 
> (It's possible that I'm posting to the wrong group; if so, I'd 
> appreciate suggestions for the appropriate group.)
> 
> 
> 1. In my HTML page, I have the following:
> 
> <form method="post" action="submission_processor.py" 
> enctype="multipart/form-data">
> ...
> </form>
> 
>      In the above, submission_processor.py is the python CGI script. I 
> didn't write a URL in the action field, since I'm first testing 
> everyting on a local machine (running FC4). The first line of 
> submission_processor.py is
> 
> #!/usr/bin/python
> 
> and I've done
> 
> chmod +x submission_processor.py
> 
>      When I hit the "submit" button, my browser (Firefox on FC4) doesn't 
> run the script; it asks me whether it should open 
> submission_processor.py or save it to disk. I couldn't figure out why.
> 
You also have to have the executable script inside a directory that is 
recognised as being a script directory (usually achieved with an Apache 
ScriptAlias directive), or have the server otherwise recognise .py files 
as executable (just setting the +x mode bit isn't enough).

In the absence of such knowledge the server just returns the content of 
the file rather than the content produced by *executing* the file.

> 2. My HTML page has the option for an instructor to list the various 
> submissions and scores. Obviously, this should be inaccessible to 
> students. The instructor has a password for doing this, therefore. 
> Suppose I place the password inside a python script, and give this 
> script only +x permission for others. Is this  adequate as far as security?
> 
That depends on whether you wanted to use HTTP security (provided 
automatically by the web server) or application security (provided by 
your code).

In the case of a script which is for general running but where some of 
the script's functionality shouldn't be generally available you are 
stuck with the latter. It's OK to have passwords in your script as long 
as you are sure that the script isn;t going to be served up as content 
like it currently is!

> 
>      Thanks in advance for answering these questions.
> 
> 
>       Efrat

regards
  Steve
-- 
Steve Holden       +44 150 684 7255  +1 800 494 3119
Holden Web LLC                     www.holdenweb.com
PyCon TX 2006                  www.python.org/pycon/

More information about the Python-list mailing list