Movatterモバイル変換

Python Library Reference

Previous:18.2.5 FunctionsUp:18.2 cgiNext:18.2.7 Installing your CGI

---

18.2.6 Caring about security

There's one important rule: if you invoke an external program (via theos.system() oros.popen() functions. or otherswith similar functionality), make very sure you don't pass arbitrarystrings received from the client to the shell. This is a well-knownsecurity hole whereby clever hackers anywhere on the Web can exploit agullible CGI script to invoke arbitrary shell commands. Even parts ofthe URL or field names cannot be trusted, since the request doesn'thave to come from your form!

To be on the safe side, if you must pass a string gotten from a formto a shell command, you should make sure the string contains onlyalphanumeric characters, dashes, underscores, and periods.

---

Python Library Reference

Previous:18.2.5 FunctionsUp:18.2 cgiNext:18.2.7 Installing your CGI

---

Release 2.5.2, documentation updated on 21st February, 2008.