"jbrewer" <[EMAIL PROTECTED]> writes:
> Also, I need to run an external program with my CGI script using
> something like os.system with flags from input forms, which is a major
> security risk. Is it simply enough to test for flag.isalnum() or
> should I do more to prevent random programs from being run? I should
> also do some minimal DOS protection as well, so information on how to
> do that simply would be appreciated as well.
Map the input data through a dictionary:
flags = dict(longflag = '-l', verboseflag = '-v', ...)
comflags = [flags[flag] for flag in flags if form[flag].value]
os.system(mycommand, *comflags)
or words to that effect. The critical thing is that data from over
the net never goes into the command, it's just used to look up values
in the dictionary, which provides strings you know are safe to pass to
the command.
The downside is that the client can only use flags your code knows
about. Of course, that's also an *upside*.
<mike
--
Mike Meyer <[EMAIL PROTECTED]> http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.
--
http://mail.python.org/mailman/listinfo/python-list
