Message 53424 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	sketerpot
Recipients
Date	2002-01-08.02:48:18
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to

Content
This might just add unnecessary bloat, but since Python is being used in CGI scripts, it can be used to narrow a security hole. One way of breaking security is for a naiive programmer (don't try to deny their existance) to run an arbitrary command from the page viewer. Perl has developed an interesting mechanism for helping with this: taint. The way it works is, when something comes directly from the user, like a key in a form, it is considered to have taint unless specifically untainted. Things like os.exec() would create a warning message if you passed tainted strings to them. As I said, this might just add unnecessary bloat, but for an option that can be left out for most builds of Python I think it would be pretty nice.

This might just add unnecessary bloat, but since Python is being 
used in CGI scripts, it can be used to narrow a security hole. One way 
of breaking security is for a naiive programmer (don't try to deny 
their existance) to run an arbitrary command from the page 
viewer.

Perl has developed an interesting mechanism for 
helping with this: taint. The way it works is, when something comes 
directly from the user, like a key in a form, it is considered to have 
taint unless specifically untainted. Things like os.exec() would 
create a warning message if you passed tainted strings to 
them.

As I said, this might just add unnecessary bloat, but for 
an option that can be left out for most builds of Python I think it 
would be pretty nice.

History
Date	User	Action	Args
2007-08-23 16:01:57	admin	link	issue500698 messages
2007-08-23 16:01:57	admin	create