Security notes

• Watch out when passing fields to the shell

  • e.g. os.popen("finger %s" % form["user"].value)
  • what if the value is "; cat /etc/passwd" ...

• Solutions:

  • Quote:
    • user = pipes.quote(form["user"].value)
  • Refuse:
    • if not re.match(r"^\w+$", user): ...error...
  • Sanitize:
    • user = re.sub(r"\W", "", form["user"].value)

Previous slide

Next slide

Back to first slide

View graphic version