[EMAIL PROTECTED] wrote: > Clodoaldo Pinto Neto wrote: > > >>print '<p>The submited name was "' + name + '"</p>' > > > Bzzt! Script injection security hole. See cgi.escape and use it (or a > similar function) for *all* text -> HTML output. > > >>open('files/' + fileitem.filename, 'w') > > > BZZZZZZT. filesystem overwriting security hole, possibly escalatable to > code execution. clue: fileitem.filename= '../../something.py' > Technically this subclass of canonicalization error is known as a directory traversal bug. > >>sid = cookie['sid'].value >>session = shelve.open('/tmp/.session/sess_' + sid > > > Bad filename use allows choice of non-session files, opening with > shelve allows all sorts of pickle weirdnesses. Just use strings. > > >>p = sub.Popen(str_command, > > > o.O > > Sure this stuff may not matter for Hello World on a test server, but if > you're writing a tutorial you should ensure newbies know the Right Way > to do it from the start. The proliferation of security-oblivious PHP > tutorials is directly responsible for the disasterous amount of > script-injection- and SQL-injection-vulnerable webapps out there - > let's not have the same for Python. >
I was teaching this week's class about SQL injection vulnerabilities earlier today. One student mentioned estimates that *11%* of all Internet web sites are vulnerable to such exploits. Another, a policeman, pointed out that he'd had news just today of an injection exploit on a major credit card company's web site. The number of credit card numbers harvested by the attack has not yet been announced. Credit card numbers should be encrypted in the database, of course, but they rarely are (even by companies whose reputations imply they ought to know better). Yup, in the wacky world of the 21st century web if a thing's worth doing it's worth screwing up completely ... regards Steve -- Steve Holden +44 150 684 7255 +1 800 494 3119 Holden Web LLC/Ltd http://www.holdenweb.com Skype: holdenweb http://holdenweb.blogspot.com Recent Ramblings http://del.icio.us/steve.holden -- http://mail.python.org/mailman/listinfo/python-list