views:

44

answers:

3

I've been writing python scripts that run locally. I would now like to offer a service online using one of these python scripts and through the webhosting I have I can run python in the cgi-bin.

The python script takes input from an html form filled in by the user, has the credentials and connects with a local database, calculates stuff using python libraries and sends out the results as HTML to be displayed.

What I would like to know is what security precautions I should take. Here are my worries:

  • What are the right file permissions for scripts called via web? 755?
  • I am taking user input. How do I guarantee it is sanitized?
  • I have user/pass for the database in the script. How do I prevent the script from being downloaded and the code seen?
  • Can I install the other libraries next to the file? Do I have to worry about security of/in these as well? Do I set their permissions to 700? 744?
  • Any other vulnerability I am unaware of?
+3  A: 

check out owasp.org - you're now writing a web application, and you need to worry about everything web apps need to worry about. The list is too long and complicated to place here, but owasp is a good starting point.

atk
+1  A: 
  • File permissions - 755 is reasonable.
  • Sanitize your user input. That's how you guarantee it's sanitized. See this question.
  • Don't let people download the code for the script. You could also put the username/password in some directory that can't be accessed via the web (like outside the servable directories).
  • The best place to install other libraries is in your PYTHONPATH but outside the path Apache uses to serve things.
  • Vulnerabilities abound. Watch out for displaying things the user types, as that leads to XSS problems.
Nathon
Thanks for the link to sanitize input, I am looking at it. This is a shared webhosting server so I don't have full access to it to change PythonPath or Apache. In this situation, do you think I can place it in other directories in my account? I have a folder root, public_html folder and within this one cgi-bin. Should I place it in the root? Does the script have access to it but outside people won't? Finally, how do you guarantee that they can't download the code? Does the cgi-bin only return the results of execution or can you download the raw file from there? Thank you.
greye
@greye: Please get a good Apache tutorial and read it.
S.Lott
+1  A: 

What are the right file permissions for scripts called via web? 755?

Use mod_wsgi so that your scripts are not run as scripts but as functions under a WSGI application.

I am taking user input. How do I guarantee it is sanitized?

Use a framework like Django.

I have user/pass for the database in the script. How do I prevent the script from being downloaded and the code seen?

Use a framework like Django.

Can I install the other libraries next to the file?

Yes.

Do I have to worry about security of/in these as well?

Yes.

Do I set their permissions to 700? 744?

They must be readable. That's all. However, if you use mod_wsgi, life is simpler. If you use a framework, simpler still.

Any other vulnerability I am unaware of?

Tons. Please see the http://www.owasp.org site.

Also, please use a framework. Please don't reinvent everything yourself. Folks have already solved all of these problems.

S.Lott
I would love to use a framework and just focus on making the code for the app!! but the hosting company doesn't seem to have django (they claim in their forums that it's resource intensive so they don't use it for shared servers). I guess I'm paying for a blog hosting service and not a web space to run more sophisticated things. Any recommendation on hosting with django or where I can run python analysis scripts and present results via web interface? This is a family and friends project so I don't expect huge traffic but I would like the versatility of building something different. Thanks.
greye
S.Lott
I was expecting advice from someone who appears to have experience. I can google on my own, tyvm.
greye
@greye: What "advice" do you want? Code examples? That's what framework documentation is for. If you want something specific, please **update** the question to identify the **specific** things you want. It's not clear what more information you need.
S.Lott