Re: Secure Python code - volunteers for code review?

Discussion in 'Python' started by Josiah Carlson, Oct 13, 2004.


  1. > > You can save yourself many concerns by encoding your data in some
    > > fashion that cannot be understood by the database to mean anything. Hex
    > > works well for that.

    >
    > A more straightforward way is to simply use prepare() religiously. This
    > also avoids the headache of having to decode your data if you use a
    > different program to access it (such as psql or mysql).


    Thankfully, other languages are able to translate to/from hex *wink*.
    Either way, unencoded/unprepared data may bork you.

    - Josiah
    Josiah Carlson, Oct 13, 2004
    #1
    1. Advertising

  2. Josiah Carlson <> wrote:

    > Either way, unencoded/unprepared data may bork you.


    Indeed, but I don't see any of that in a quick flick through Andrew's
    code. All the literal values are getting passed through the standard
    DBAPI substitution layer, so should be completely safe.

    The only thing I noticed just briefly looking at it was the call to
    os.popen with command '"antiword " + fn'. Creating system commands by
    simple string concatenation is v. dodgy.

    It turns out in this case that 'fn' is coming directly from
    tempfile.mkstemp so there probably isn't going to be a security issue
    in practice, but depending on the path of the temp directory and what
    characters are escapes I guess this could fail on some platforms, or
    something. In any case it makes me feel uneasy. :)

    Of course, Andrew will also have to be sure that there are no buffer
    overflows or other issues in the 'antiword' program that could allow a
    maliciously-crafted .doc file to execute arbitrary code.

    --
    Andrew Clover
    mailto:
    http://www.doxdesk.com/
    Andrew Clover, Oct 13, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    333
  2. andrew blah
    Replies:
    6
    Views:
    347
    andrew blah
    Oct 17, 2004
  3. www
    Replies:
    51
    Views:
    1,479
  4. Brett Cannon
    Replies:
    3
    Views:
    236
    Paul Rubin
    Feb 19, 2008
  5. M.-A. Lemburg
    Replies:
    0
    Views:
    76
    M.-A. Lemburg
    Feb 27, 2014
Loading...

Share This Page