Python CGI Script

[Efrat Regev]

Hello,

I'm a data-structures course TA trying to write a python CGI script
for automatically compiling and testing students' projects.
Unfortunately, I've run into some questions while writing this, which I
couldn't solve with the various (and helpful) python-CGI documentation.
(It's possible that I'm posting to the wrong group; if so, I'd
appreciate suggestions for the appropriate group.)


1. In my HTML page, I have the following:

<form method="post" action="submission_processor.py"
enctype="multipart/form-data">
....
</form>

In the above, submission_processor.py is the python CGI script. I
didn't write a URL in the action field, since I'm first testing
everyting on a local machine (running FC4). The first line of
submission_processor.py is

#!/usr/bin/python

and I've done

chmod +x submission_processor.py

When I hit the "submit" button, my browser (Firefox on FC4) doesn't
run the script; it asks me whether it should open
submission_processor.py or save it to disk. I couldn't figure out why.

2. My HTML page has the option for an instructor to list the various
submissions and scores. Obviously, this should be inaccessible to
students. The instructor has a password for doing this, therefore.
Suppose I place the password inside a python script, and give this
script only +x permission for others. Is this adequate as far as security?


Thanks in advance for answering these questions.


Efrat

 

[Steve Holden]

Hello,

I'm a data-structures course TA trying to write a python CGI script
for automatically compiling and testing students' projects.
Unfortunately, I've run into some questions while writing this, which I
couldn't solve with the various (and helpful) python-CGI documentation.
(It's possible that I'm posting to the wrong group; if so, I'd
appreciate suggestions for the appropriate group.)


1. In my HTML page, I have the following:

<form method="post" action="submission_processor.py"
enctype="multipart/form-data">
...
</form>

In the above, submission_processor.py is the python CGI script. I
didn't write a URL in the action field, since I'm first testing
everyting on a local machine (running FC4). The first line of
submission_processor.py is

#!/usr/bin/python

and I've done

chmod +x submission_processor.py

When I hit the "submit" button, my browser (Firefox on FC4) doesn't
run the script; it asks me whether it should open
submission_processor.py or save it to disk. I couldn't figure out why.

You also have to have the executable script inside a directory that is
recognised as being a script directory (usually achieved with an Apache
ScriptAlias directive), or have the server otherwise recognise .py files
as executable (just setting the +x mode bit isn't enough).

In the absence of such knowledge the server just returns the content of
the file rather than the content produced by *executing* the file.

2. My HTML page has the option for an instructor to list the various
submissions and scores. Obviously, this should be inaccessible to
students. The instructor has a password for doing this, therefore.
Suppose I place the password inside a python script, and give this
script only +x permission for others. Is this adequate as far as security?

That depends on whether you wanted to use HTTP security (provided
automatically by the web server) or application security (provided by
your code).

In the case of a script which is for general running but where some of
the script's functionality shouldn't be generally available you are
stuck with the latter. It's OK to have passwords in your script as long
as you are sure that the script isn;t going to be served up as content
like it currently is!

Thanks in advance for answering these questions.


Efrat

regards
Steve

 

[Ivan Herman]

Efrat,

I am afraid a CGI script is never *executed* by the browser. Instead, it sends
the URL to a server, expects the server to execute the script, and display the
server's response. If you just put a file name then (it seems, I never even
tried that) Firefox uses the local file store as a 'server' in that respect.

If you want to test a CGI script on your own machine, you should run a web
server on your own machine. That server should also be set up in a way that it
recognizes a '.py' file as a CGI script to be executed by Python (not all
servers may recognize the #! trick...).

This may look scary, but it is not that bad. Apache has a number of precompiled
binary versions that you can install on your machine; you can also use servers
like W3C's jigsaw (this relies on Java) or others. These are all free and easy
to install and, well, manageable to configure. Actually, in case you run on a
MacOS X by any chance, Apache is already installed afaik...

I hope this helps

Ivan


-------- Original Message --------
From: Efrat Regev <[email protected]>
To:
Subject: Python CGI Script
Date: 30/9/2005 12:50