python开发web_作为Python Web开发人员的常见错误

python开发web

A few weeks ago I had a heated discussion with a bunch of Python and Open Source people at a local meet-up about the way Python’s path joining works. I was always pretty sure that people are aware of how the path joining works and why it works that way. However a bit of searching around on the internet quickly showed that it’s actually a pretty common mistake to use the os.path.join function with arbitrary and unfiltered input, leading to security issues. Because the most common case where user input comes from another system is web development I went a bit further and tried to find a few other cases where people might be blindly trusting an API or operating system.

几周前，在一次本地聚会上，我与一群Python和开放源代码人进行了激烈的讨论，讨论了Python路径联接的工作方式。 我始终非常确定，人们会意识到路径连接的工作原理以及为什么会这样工作。 但是，在Internet上进行的一些搜索很快表明，将os.path.join函数与任意且未经过滤的输入一起使用实际上是一个非常普遍的错误，从而导致安全问题。 因为用户输入来自另一个系统的最常见情况是Web开发，所以我走得更远，试图找到其他一些人们可能盲目地信任API或操作系统的情况。

So here it is: my list of things not to do when doing Python web development.

因此，这里是：我进行Python Web开发时不要做的事情的清单。

不受信任的数据和文件系统 (Untrusted Data and File Systems)

Unless you are running on a virtualized filesystem like when you are executing code on Google Appengine, chances are, vital files can be accessed with the rights your application has. Very few deployments actually reduce the rights of the executing user account to a level where it would become save to blindly trust user submitted filenames. Because it typically isn’t, you have to think about that.

除非您在虚拟文件系统上运行（例如在Google Appengine上执行代码时），否则很有可能可以使用您的应用程序所拥有的权限来访问重要文件。 实际上，很少有部署将执行用户帐户的权限降低到可以保存到盲目地信任用户提交的文件名的级别。 因为通常不是，所以您必须考虑一下。

In PHP land this is common knowledge by now because many people write innocent looking code like this:

在PHP领域，这是目前的常识，因为许多人都这样编写无辜的代码：

<?php

<?php

include include "header.php""header.php" ;
;
$page $page = = issetisset (( $_GET$_GET [[ 'page''page' ]) ]) ? ? $_GET$_GET [[ 'page''page' ] ] : : 'index''index' ;
;
$filename $filename = = $page $page . . '.php''.php' ;
;
if if (( file_existsfile_exists (( $filename$filename ))
    ))
    include include $filename$filename ;
;
else
    else
    include include "missing_page.php""missing_page.php" ;
;
include include "footer.php""footer.php" ;
;

Now the problem is that if you accept the filename blindly one could just pass a string with some leading “go one layer up” markers and access files somewhere else on the file system. Now many people thought that wouldn’t be a problem because the file has to end with “.php” so only PHP files can be accessed. Turns out that PHP never (at least not until recently) removed nullbytes from the string before opening the file. Thus the underlying C function that opened the file stopped reading at the null byte. So if one attacker would access the page ?page=../../../../htpasswd%00 he would see the contents of the passwd file.

现在的问题是，如果您盲目接受文件名，则可以传递带有一些前导“向上一层”标记的字符串，然后访问文件系统上其他位置的文件。 现在，许多人认为这将不是问题，因为文件必须以“ .php”