security - Is it possible to inject shell/python commands from a configuration file? -

-

say have meta data custom file format python app reads. csv variables can change file manipulated:

var1,data1 var2,data2 var3,data3

so if user can manipulate meta data, have worry crafting malformed meta data file allow arbitrary code execution? thing can imagine if you made poor choice make var1 shell command execute os.sys(data1) in own code somewhere. also, if c have worry buffers being blown, don't think have worry python. if reading in data string possible somehow escape string "\n os.sys('rm -r /'), sql example totally wont work, there similar possible?

if doing there (plain text, reading , parsing simple format), safe. indicate, python safe more mundane memory corruption errors c developers can create if not careful. sql injection scenario note not concern when reading in files in python.

however, if concerned security, seems (interjection: you! programmer should lazy and paranoid), here things consider:

validate input. make sure each piece of data read of expected size, type, range, etc. error early, , don't propagate tainted variables elsewhere in code.

  • do know expected names of vars, or @ least format? make sure validate kind of thing expect before use it. if should letters, confirm regex or similar.
  • do know expected range or format of data? if you're expecting number, make sure it's number before use it. if it's supposed short string, verify length; idea.
  • what if characters or bytes don't expect? if throws unicode @ you?
  • if of these paths, make sure canonicalize , know path points acceptable location before read or write.

some specific things not do:

  • os.system(attackercontrolledstring)
  • eval(attackercontrolledstring)
  • __import__(attackercontrolledstring)
  • pickle/unpickle attacker controlled content (here's why)

also, rather rolling own config file format, consider configparser or json. understood format (and libraries) helps leg on proper validation.

owasp normal go-to providing "further reading" link, input validation page needs help. in lieu, looks reasonably pragmatic read: "secure programmer: validating input". dated more python specific 1 "dealing user input in python"


Comments

Post a Comment

Popular posts from this blog

php - What is the difference between $_SERVER['PATH_INFO'] and $_SERVER['ORIG_PATH_INFO']? -

-
what’s difference between $_server['path_info'] , $_server['orig_path_info'] ? how use them? when run print_r($_server) , path_info , orig_path_info not present in array. why not? how can enable them? i have read php manual on them, still don’t understand them. the path_info variable present if invoke php script this: http://www.example.com/phpinfo.php/hello_there it's /hello_there part after .php script. if don't invoke url that, there won't $_server["path_info"] environment variable. the porig_ prefix uncommon. path_info standard cgi-environment variable, , should never prefixed. did read that? (there issues around php3/php4 if invoked php interpreter via cgi-bin/ - hardly has such setups today.) for reference: http://www.ietf.org/rfc/rfc3875
Read more

fortran - Function return type mismatch -

-
i'm attempting recode old c++ program in fortran make use of lapack (i'm aware c++ have lapack++, i'm having lot of trouble installing it, gave up). i didn't have problems compilation, when had variables declared real . when started coding section of program required lapack, found parameters passed dsyev need double precision . tried change double precision (including changing hard coded numbers double precision counterparts, i.e. 0.0 -> 0.0d0) when try compile, following error of functions , subroutines i've written: error: return type mismatch of function <function> @ (1) (real(4)/real(8)) i'm not sure coming from, in program has been changed double precision. for example, i've declared following: double precision :: alpha(3),d(3),zeta1,zeta2 double precision :: a1(3),a2(3),d1(3),d2(3) double precision :: pi pi = 3.14159265359d0 alpha = (/0.109818d0, 0.405771d0, 2.22766d0/) d = (/0.444635d0, 0.535328d0, 0.154329d0 /) 10 i=1,3 ...
Read more

queue - mq_receive: message too long -

-
i implementing communication between 2 processes using queue. problem when call function mq_receive, error: message long. i have done following: struct mq_attr attr; long size = attr.mq_msgsize; .... // initializing queue "/gateway" int rc = mq_receive(gateway, buffer, size, &prio); if print size value, size=1, while when print same size program (got same mechanism), not long integer ( -1217186280 )... how can solve error?....so while size = 1, believe it's right "message long" why 1? p.s. have tried put : int rc = mq_receive(gateway, buffer, sizeof(buffer), &prio); but no result. it seems need read docs more carefully. when call mq_receive should pass size of destination buffer. this size must greater mq_msgsize attribute of queue . in addition, seems have error in queue attributes initialisation makes proper mq_receive call impossible. here standard message queue session: fill mq_attr struct ( doc ): struct mq_a...
Read more