Python cgi
Mike Meyer
mwm at mired.org
Fri Oct 21 19:10:59 EDT 2005
"jbrewer" <jeremy.d.brewer at gmail.com> writes:
> Also, I need to run an external program with my CGI script using
> something like os.system with flags from input forms, which is a major
> security risk. Is it simply enough to test for flag.isalnum() or
> should I do more to prevent random programs from being run? I should
> also do some minimal DOS protection as well, so information on how to
> do that simply would be appreciated as well.
Map the input data through a dictionary:
flags = dict(longflag = '-l', verboseflag = '-v', ...)
comflags = [flags[flag] for flag in flags if form[flag].value]
os.system(mycommand, *comflags)
or words to that effect. The critical thing is that data from over
the net never goes into the command, it's just used to look up values
in the dictionary, which provides strings you know are safe to pass to
the command.
The downside is that the client can only use flags your code knows
about. Of course, that's also an *upside*.
<mike
--
Mike Meyer <mwm at mired.org> http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.
More information about the Python-list
mailing list