prev | Draft Version 604 (Thu Dec 1 09:18:38 2005) | next |
QUERY_STRING
, while unexpected ones may be presentQUERY_STRING
may not even be formatted according to the HTTP specification"price=399.99"
with "price=3.99"
in the query string/web/docs
url[:9] == '/web/docs'
to prevent people from accessing /home/dknuth/grades.xsl
/web/docs/../../home/dknuth/grades.xsl
/tmp/1728397.cgidata
(where 1728397 is a random number)/tmp
for *.cgidata
filesgrep
in a sub-process#!/usr/bin/env python import os, cgi form = cgi.FieldStorage() term = form['term'] cmd = 'grep %s data.txt' % term instream = os.popen(cmd, 'r') results = instream.readlines() instream.close() print 'Content-type: text/html\n' print '<html><body>' for line in results: print '<p>', cgi.escape(line), '</p>' print '</body></html>'
"term=dummy /dev/null;rm -rf *"
?
cmd
becomes grep term=dummy /dev/null; rm -rf * data.txt
grep
produces no output (since /dev/null
is always empty)expr
is a string, eval(expr)
interprets it as if it had been typed in then and there"criteria=record.left+record.right<0"
#!/usr/bin/env python import os, cgi form = cgi.FieldStorage() criteria = form['criteria'] results = [] for record in readRecords(): keep = eval(criteria) if keep: results.append(record.title) print 'Content-type: text/html\n' print '<html><body>' for title in results: print '<p>', cgi.escape(title), '</p>' print '</body></html>'
query = "SELECT * FROM Data WHERE Username='%s'" % username cursor.execute(query) results = cursor.fetchall();
fred'; UPDATE Employees SET Salary = 1000000 WHERE username = 'me
https
in URL instead of http
)"rlogin"
and "telnet"
.
"ssh"
instead whenever possible.
"scp"
instead of "ftp"
.prev | Copyright © 2005, Python Software Foundation. See License for details. | next |