Software: Apache/2.0.54 (Unix) mod_perl/1.99_09 Perl/v5.8.0 mod_ssl/2.0.54 OpenSSL/0.9.7l DAV/2 FrontPage/5.0.2.2635 PHP/4.4.0 mod_gzip/2.0.26.1a 

uname -a: Linux snow.he.net 4.4.276-v2-mono-1 #1 SMP Wed Jul 21 11:21:17 PDT 2021 i686 

uid=99(nobody) gid=98(nobody) groups=98(nobody) 

Safe-mode: OFF (not secure)

/opt/doc/python-2.3.4/html/Python-Docs-2.3.4/lib/   drwxr-xr-x
Free 318.34 GB of 458.09 GB (69.49%)
                            Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    

Viewing file:     cgi-security.html (5.79 KB)      -rw-r--r--

Python Library Reference

Previous: 11.2.5 Functions Up: 11.2 cgi Next: 11.2.7 Installing your CGI

---

11.2.6 Caring about security

There's one important rule: if you invoke an external program (via the os.system() or os.popen() functions. or others with similar functionality), make very sure you don't pass arbitrary strings received from the client to the shell. This is a well-known security hole whereby clever hackers anywhere on the Web can exploit a gullible CGI script to invoke arbitrary shell commands. Even parts of the URL or field names cannot be trusted, since the request doesn't have to come from your form!

To be on the safe side, if you must pass a string gotten from a form to a shell command, you should make sure the string contains only alphanumeric characters, dashes, underscores, and periods.

---

Python Library Reference

Previous: 11.2.5 Functions Up: 11.2 cgi Next: 11.2.7 Installing your CGI

---

Release 2.3.4, documentation updated on May 20, 2004.