Python CGI security
Thomas Wouters
thomas at xs4all.nl
Mon Jul 3 08:03:16 EDT 2000
On Mon, 03 Jul 2000 13:33:54 +0200, Michael Ströder <michael at stroeder.com>
wrote:
>Moshe Zadka wrote:
>> There are a few types of "potential security holes":
>>
>> -- exposing insecure parts of the API, such as os.system(). These should
>> stay, since the user should have those at his disposale
>Would it be possible to provide a secure version in the Python lib
>of e.g. os.system() with same function parameters but less unsecure
>behaviour instead of just wrapping it 1:1?
How could os.system() be more secure ? The way it is defined leaves no room
for restriction. (It calls a shell to interpret the string passed in, after
all.)
What Python does do, is provide more convenient variants of os.exec*(), in
the form of os.spawn*(). (At least, in Python 2.0) Also, writing your own
'secure' system() in terms of fork() and exec*() is fairly easy.
Your-code-is-as-secure-as-you-make-it-ly y'rs,
Thomas.
More information about the Python-list
mailing list