Yurttas/PL/SL/python/docs/core-python-programming/doc/152/lib/node209.html
|
[[yurttas/PL/SL/python/docs/core-python-programming/doc/152/lib/node210.html| |
[[yurttas/PL/SL/python/docs/core-python-programming/doc/152/lib/module-cgi.html| |
[[yurttas/PL/SL/python/docs/core-python-programming/doc/152/lib/Functions in cgi module.html| |
Python Library Reference |
[[yurttas/PL/SL/python/docs/core-python-programming/doc/152/lib/contents.html| |
[[yurttas/PL/SL/python/docs/core-python-programming/doc/152/lib/modindex.html| |
[[yurttas/PL/SL/python/docs/core-python-programming/doc/152/lib/genindex.html| |
Next: 11.1.6 Installing your CGI Up: 11.1 cgi Previous: 11.1.4 Functions
11.1.5 Caring about security
There's one important rule: if you invoke an external program (e.g. via the os.system() or os.popen() functions), make very sure you don't pass arbitrary strings received from the client to the shell. This is a well-known security hole whereby clever hackers anywhere on the web can exploit a gullible CGI script to invoke arbitrary shell commands. Even parts of the URL or field names cannot be trusted, since the request doesn't have to come from your form!
To be on the safe side, if you must pass a string gotten from a form to a shell command, you should make sure the string contains only alphanumeric characters, dashes, underscores, and periods.
|
[[yurttas/PL/SL/python/docs/core-python-programming/doc/152/lib/node210.html| |
[[yurttas/PL/SL/python/docs/core-python-programming/doc/152/lib/module-cgi.html| |
[[yurttas/PL/SL/python/docs/core-python-programming/doc/152/lib/Functions in cgi module.html| |
Python Library Reference |
[[yurttas/PL/SL/python/docs/core-python-programming/doc/152/lib/contents.html| |
[[yurttas/PL/SL/python/docs/core-python-programming/doc/152/lib/modindex.html| |
[[yurttas/PL/SL/python/docs/core-python-programming/doc/152/lib/genindex.html| |
Send comments on this document to python-docs@python.org.