简体繁体 English

在cgi-bin中运行python的安全预防措施

[英]Security precautions for running python in cgi-bin

原文 2010-09-13 19:17:17 3 3 python/ security/ cgi-bin

I've been writing python scripts that run locally. 我一直在编写本地运行的python脚本。 I would now like to offer a service online using one of these python scripts and through the webhosting I have I can run python in the cgi-bin. 我现在想使用其中一个python脚本在线提供服务，通过webhosting，我可以在cgi-bin中运行python。

The python script takes input from an html form filled in by the user, has the credentials and connects with a local database, calculates stuff using python libraries and sends out the results as HTML to be displayed. python脚本从用户填写的html表单中获取输入，具有凭据并与本地数据库连接，使用python库计算内容并将结果发送为要显示的HTML。

What I would like to know is what security precautions I should take. 我想知道的是我应采取的安全措施。 Here are my worries: 这是我的担忧：

What are the right file permissions for scripts called via web? 通过Web调用的脚本有哪些正确的文件权限？ 755? 755？
I am taking user input. 我正在接受用户输入。 How do I guarantee it is sanitized? 我如何保证它被消毒？
I have user/pass for the database in the script. 我在脚本中有数据库的user / pass。 How do I prevent the script from being downloaded and the code seen? 如何防止下载脚本并看到代码？
Can I install the other libraries next to the file? 我可以在文件旁边安装其他库吗？ Do I have to worry about security of/in these as well? 我是否还要担心这些安全性？ Do I set their permissions to 700? 我将他们的权限设置为700吗？ 744? 744？
Any other vulnerability I am unaware of? 我不知道的任何其他漏洞？

3 个解决方案

check out owasp.org - you're now writing a web application, and you need to worry about everything web apps need to worry about. 看看owasp.org - 您现在正在编写一个Web应用程序，您需要担心Web应用程序需要担心的一切。 The list is too long and complicated to place here, but owasp is a good starting point. 列表太长而且很复杂，但是owasp是一个很好的起点。

File permissions - 755 is reasonable. 文件权限 - 755是合理的。
Sanitize your user input. 清理您的用户输入。 That's how you guarantee it's sanitized. 这就是你保证它被消毒的方式。 See this question. 看到这个问题。
Don't let people download the code for the script. 不要让人们下载脚本的代码。 You could also put the username/password in some directory that can't be accessed via the web (like outside the servable directories). 您还可以将用户名/密码放在某些无法通过Web访问的目录中（例如在可维护目录之外）。
The best place to install other libraries is in your PYTHONPATH but outside the path Apache uses to serve things. 安装其他库的最佳位置是在PYTHONPATH中，但在Apache用于提供服务的路径之外。
Vulnerabilities abound. 漏洞比比皆是。 Watch out for displaying things the user types, as that leads to XSS problems. 注意显示用户输入的内容，因为这会导致XSS问题。

What are the right file permissions for scripts called via web? 通过Web调用的脚本有哪些正确的文件权限？ 755? 755？

Use mod_wsgi so that your scripts are not run as scripts but as functions under a WSGI application. 使用mod_wsgi，以便您的脚本不作为脚本运行，而是作为WSGI应用程序下的函数运行。

I am taking user input. 我正在接受用户输入。 How do I guarantee it is sanitized? 我如何保证它被消毒？

Use a framework like Django. 使用像Django这样的框架。

I have user/pass for the database in the script. 我在脚本中有数据库的user / pass。 How do I prevent the script from being downloaded and the code seen? 如何防止下载脚本并看到代码？

Use a framework like Django. 使用像Django这样的框架。

Can I install the other libraries next to the file? 我可以在文件旁边安装其他库吗？

Yes. 是。

Do I have to worry about security of/in these as well? 我是否还要担心这些安全性？

Yes. 是。

Do I set their permissions to 700? 我将他们的权限设置为700吗？ 744? 744？

They must be readable. 它们必须是可读的。 That's all. 就这样。 However, if you use mod_wsgi, life is simpler. 但是，如果使用mod_wsgi，生活会更简单。 If you use a framework, simpler still. 如果您使用框架，仍然更简单。

Any other vulnerability I am unaware of? 我不知道的任何其他漏洞？

Tons. 吨。 Please see the http://www.owasp.org site. 请访问http://www.owasp.org网站。

Also, please use a framework. 另外，请使用框架。 Please don't reinvent everything yourself. 请不要自己重新发明一切。 Folks have already solved all of these problems. 人们已经解决了所有这些问题。