[英]Security precautions for running python in cgi-bin
I've been writing python scripts that run locally. 我一直在编写本地运行的python脚本。 I would now like to offer a service online using one of these python scripts and through the webhosting I have I can run python in the cgi-bin.
我现在想使用其中一个python脚本在线提供服务,通过webhosting,我可以在cgi-bin中运行python。
The python script takes input from an html form filled in by the user, has the credentials and connects with a local database, calculates stuff using python libraries and sends out the results as HTML to be displayed. python脚本从用户填写的html表单中获取输入,具有凭据并与本地数据库连接,使用python库计算内容并将结果发送为要显示的HTML。
What I would like to know is what security precautions I should take. 我想知道的是我应采取的安全措施。 Here are my worries:
这是我的担忧:
check out owasp.org - you're now writing a web application, and you need to worry about everything web apps need to worry about. 看看owasp.org - 您现在正在编写一个Web应用程序,您需要担心Web应用程序需要担心的一切。 The list is too long and complicated to place here, but owasp is a good starting point.
列表太长而且很复杂,但是owasp是一个很好的起点。
What are the right file permissions for scripts called via web?
通过Web调用的脚本有哪些正确的文件权限? 755?
755?
Use mod_wsgi so that your scripts are not run as scripts but as functions under a WSGI application. 使用mod_wsgi,以便您的脚本不作为脚本运行,而是作为WSGI应用程序下的函数运行。
I am taking user input.
我正在接受用户输入。 How do I guarantee it is sanitized?
我如何保证它被消毒?
Use a framework like Django. 使用像Django这样的框架。
I have user/pass for the database in the script.
我在脚本中有数据库的user / pass。 How do I prevent the script from being downloaded and the code seen?
如何防止下载脚本并看到代码?
Use a framework like Django. 使用像Django这样的框架。
Can I install the other libraries next to the file?
我可以在文件旁边安装其他库吗?
Yes. 是。
Do I have to worry about security of/in these as well?
我是否还要担心这些安全性?
Yes. 是。
Do I set their permissions to 700?
我将他们的权限设置为700吗? 744?
744?
They must be readable. 它们必须是可读的。 That's all.
就这样。 However, if you use mod_wsgi, life is simpler.
但是,如果使用mod_wsgi,生活会更简单。 If you use a framework, simpler still.
如果您使用框架,仍然更简单。
Any other vulnerability I am unaware of?
我不知道的任何其他漏洞?
Tons. 吨。 Please see the http://www.owasp.org site.
请访问http://www.owasp.org网站。
Also, please use a framework. 另外,请使用框架。 Please don't reinvent everything yourself.
请不要自己重新发明一切。 Folks have already solved all of these problems.
人们已经解决了所有这些问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.