> And I can't see the security problem, unless there's a security
> problem already, like if I allowed incoming email to dictate the
> parameters that I send through the socket. The email provides data
> for argv[1:] but argv[0] is hard-coded.
>
> And I don't see how web traffic can get there at all.
You can generate a CGI call b by typing the GET string straight into
the address bar of the browser. If a smart user realises that some
of the parameters are being interpreted they can (and often will)
try to fake what the page genersates, this could involve putting
python commands, such as 'import os;os.system("rm -f /")' into
the escape string...
Equally if you embed Python in a program and allow users to type
strings whoich are then exec() or eval()'d they could type a
similar os.system() command. Or they might use print and dir
to find variable names and manipulate those.
Even in a config file, if its plain text a hostile (or just
mischievous) user could add a dangerous line and when you try
to exec it bad things happen. Any time you allow users to
influence what code runs you have potential for trouble
- that is the principle behind all these "buffer overrun"
security errors as well as all the script kiddie attacks
- MS allows Outlook to run scripts when mail is open, if
those scripts are harmful we have a virus!
> If we had real users with login rights, then they could get to the
> interpreter and wouldn't need my little daemon to wreck havoc -- if
I
> had my persmissions wrong.
But by opening access to exec() you effectively give your users
access to a PYthon session within *your* login rights (or root
or the web user etc)
Its not a trivial thing to exploit but it can be done and
either accidentally(*) or deliberately bad things can result.
(*) Recall that one of the most common user support issues on
Unix systems is people typing "rm / foo" with a space instead of
"rm /foo". The first one (attempts to) delete the root
directory - oops!
Alan G.
_______________________________________________
Tutor maillist - [EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/tutor
