www.fifi.org
    Documentation
        Manpages
        GNU Info
        Debian document tree
        Whole document tree
    Trigance web page
    Public services
    User info
    Mailing lists
    Secure server
    Multilingual usage
 

Copyright (C) 2000-2012
Philippe Troin
<webmaster@fifi.org>.

Validate HTML
Validate CSS

    

GNU Info

Info Node: (python2.1-lib.info)Caring about security

(python2.1-lib.info)Caring about security

Next: Installing your CGI script on a Unix system Prev: Functions in cgi module Up: cgi
Enter node , (file) or (file)node 

Caring about security
---------------------

There's one important rule: if you invoke an external program (e.g.
via the `os.system()' or `os.popen()' functions), make very sure you
don't pass arbitrary strings received from the client to the shell.
This is a well-known security hole whereby clever hackers anywhere on
the web can exploit a gullible CGI script to invoke arbitrary shell
commands.  Even parts of the URL or field names cannot be trusted,
since the request doesn't have to come from your form!

To be on the safe side, if you must pass a string gotten from a form to
a shell command, you should make sure the string contains only
alphanumeric characters, dashes, underscores, and periods.
automatically generated by info2www version 1.2.2.9