tags:

views:

44

answers:

3
+1  Q: 

Security precautions for running python in cgi-bin.

I've been writing python scripts that run locally. I would now like to offer a service online using one of these python scripts and through the webhosting I have I can run python in the cgi-bin.

The python script takes input from an html form filled in by the user, has the credentials and connects with a local database, calculates stuff using python libraries and sends out the results as HTML to be displayed.

What I would like to know is what security precautions I should take. Here are my worries:

  • What are the right file permissions for scripts called via web? 755?
  • I am taking user input. How do I guarantee it is sanitized?
  • I have user/pass for the database in the script. How do I prevent the script from being downloaded and the code seen?
  • Can I install the other libraries next to the file? Do I have to worry about security of/in these as well? Do I set their permissions to 700? 744?
  • Any other vulnerability I am unaware of?
+3  A: 

check out owasp.org - you're now writing a web application, and you need to worry about everything web apps need to worry about. The list is too long and complicated to place here, but owasp is a good starting point.

atk  2010-09-13 19:32:17
+1  A: 
  • File permissions - 755 is reasonable.
  • Sanitize your user input. That's how you guarantee it's sanitized. See this question.
  • Don't let people download the code for the script. You could also put the username/password in some directory that can't be accessed via the web (like outside the servable directories).
  • The best place to install other libraries is in your PYTHONPATH but outside the path Apache uses to serve things.
  • Vulnerabilities abound. Watch out for displaying things the user types, as that leads to XSS problems.
Nathon  2010-09-13 19:34:01
Thanks for the link to sanitize input, I am looking at it. This is a shared webhosting server so I don't have full access to it to change PythonPath or Apache. In this situation, do you think I can place it in other directories in my account? I have a folder root, public_html folder and within this one cgi-bin. Should I place it in the root? Does the script have access to it but outside people won't? Finally, how do you guarantee that they can't download the code? Does the cgi-bin only return the results of execution or can you download the raw file from there? Thank you.
greye  2010-09-13 19:47:29
@greye: Please get a good Apache tutorial and read it.
S.Lott  2010-09-13 19:56:22
+1  A: 

What are the right file permissions for scripts called via web? 755?

Use mod_wsgi so that your scripts are not run as scripts but as functions under a WSGI application.

I am taking user input. How do I guarantee it is sanitized?

Use a framework like Django.

I have user/pass for the database in the script. How do I prevent the script from being downloaded and the code seen?

Use a framework like Django.

Can I install the other libraries next to the file?

Yes.

Do I have to worry about security of/in these as well?

Yes.

Do I set their permissions to 700? 744?

They must be readable. That's all. However, if you use mod_wsgi, life is simpler. If you use a framework, simpler still.

Any other vulnerability I am unaware of?

Tons. Please see the http://www.owasp.org site.

Also, please use a framework. Please don't reinvent everything yourself. Folks have already solved all of these problems.

S.Lott  2010-09-13 19:47:53
I would love to use a framework and just focus on making the code for the app!! but the hosting company doesn't seem to have django (they claim in their forums that it's resource intensive so they don't use it for shared servers). I guess I'm paying for a blog hosting service and not a web space to run more sophisticated things. Any recommendation on hosting with django or where I can run python analysis scripts and present results via web interface? This is a family and friends project so I don't expect huge traffic but I would like the versatility of building something different. Thanks.
greye  2010-09-13 20:52:04
S.Lott  2010-09-13 21:00:59
I was expecting advice from someone who appears to have experience. I can google on my own, tyvm.
greye  2010-09-14 00:12:24
@greye: What "advice" do you want? Code examples? That's what framework documentation is for. If you want something specific, please **update** the question to identify the **specific** things you want. It's not clear what more information you need.
S.Lott  2010-09-14 01:00:35

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security