<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>11.2.6 Caring about security </title> <META NAME="description" CONTENT="11.2.6 Caring about security "> <META NAME="keywords" CONTENT="lib"> <META NAME="resource-type" CONTENT="document"> <META NAME="distribution" CONTENT="global"> <meta http-equiv="Content-Type" content="text/html; charset="> <link rel="STYLESHEET" href="lib.css"> <link rel="first" href="lib.html"> <link rel="contents" href="contents.html" title="Contents"> <link rel="index" href="genindex.html" title="Index"> <LINK REL="next" HREF="node300.html"> <LINK REL="previous" HREF="node298.html"> <LINK REL="up" href="module-cgi.html"> <LINK REL="next" HREF="node300.html"> </head> <body> <DIV CLASS="navigation"> <table align="center" width="100%" cellpadding="0" cellspacing="2"> <tr> <td><A HREF="node298.html"><img src="../icons/previous.gif" border="0" height="32" alt="Previous Page" width="32"></A></td> <td><A href="module-cgi.html"><img src="../icons/up.gif" border="0" height="32" alt="Up One Level" width="32"></A></td> <td><A HREF="node300.html"><img src="../icons/next.gif" border="0" height="32" alt="Next Page" width="32"></A></td> <td align="center" width="100%">Python Library Reference</td> <td><A href="contents.html"><img src="../icons/contents.gif" border="0" height="32" alt="Contents" width="32"></A></td> <td><a href="modindex.html" title="Module Index"><img src="../icons/modules.gif" border="0" height="32" alt="Module Index" width="32"></a></td> <td><A href="genindex.html"><img src="../icons/index.gif" border="0" height="32" alt="Index" width="32"></A></td> </tr></table> <b class="navlabel">Previous:</b> <a class="sectref" HREF="node298.html">11.2.5 Functions</A> <b class="navlabel">Up:</b> <a class="sectref" href="module-cgi.html">11.2 cgi </A> <b class="navlabel">Next:</b> <a class="sectref" HREF="node300.html">11.2.7 Installing your CGI</A> <br><hr> </DIV> <!--End of Navigation Panel--> <H2><A NAME="SECTION0013260000000000000000"> </A> <BR> 11.2.6 Caring about security </H2> <P> <a name="l2h-2299"> </a> <P> There's one important rule: if you invoke an external program (via the <tt class="function">os.system()</tt> or <tt class="function">os.popen()</tt> functions. or others with similar functionality), make very sure you don't pass arbitrary strings received from the client to the shell. This is a well-known security hole whereby clever hackers anywhere on the Web can exploit a gullible CGI script to invoke arbitrary shell commands. Even parts of the URL or field names cannot be trusted, since the request doesn't have to come from your form! <P> To be on the safe side, if you must pass a string gotten from a form to a shell command, you should make sure the string contains only alphanumeric characters, dashes, underscores, and periods. <P> <DIV CLASS="navigation"> <p><hr> <table align="center" width="100%" cellpadding="0" cellspacing="2"> <tr> <td><A HREF="node298.html"><img src="../icons/previous.gif" border="0" height="32" alt="Previous Page" width="32"></A></td> <td><A href="module-cgi.html"><img src="../icons/up.gif" border="0" height="32" alt="Up One Level" width="32"></A></td> <td><A HREF="node300.html"><img src="../icons/next.gif" border="0" height="32" alt="Next Page" width="32"></A></td> <td align="center" width="100%">Python Library Reference</td> <td><A href="contents.html"><img src="../icons/contents.gif" border="0" height="32" alt="Contents" width="32"></A></td> <td><a href="modindex.html" title="Module Index"><img src="../icons/modules.gif" border="0" height="32" alt="Module Index" width="32"></a></td> <td><A href="genindex.html"><img src="../icons/index.gif" border="0" height="32" alt="Index" width="32"></A></td> </tr></table> <b class="navlabel">Previous:</b> <a class="sectref" HREF="node298.html">11.2.5 Functions</A> <b class="navlabel">Up:</b> <a class="sectref" href="module-cgi.html">11.2 cgi </A> <b class="navlabel">Next:</b> <a class="sectref" HREF="node300.html">11.2.7 Installing your CGI</A> <hr> <span class="release-info">Release 2.2, documentation updated on December 21, 2001.</span> </DIV> <!--End of Navigation Panel--> <ADDRESS> See <i><a href="about.html">About this document...</a></i> for information on suggesting changes. </ADDRESS> </BODY> </HTML>