Hi. Paul Wise <p...@debian.org> writes:
> On Thu, Feb 6, 2014 at 8:43 AM, Paul Wise wrote: > >> Which CGI are we talking about? Perhaps we can give more specific advice. > > I guess you mean Online Python Tutor (#737732). > Damn BTS ;) Indeed, I was considering OPT. > Looking at the git repo, it includes a lot of embedded code copies of > various JavaScript libraries and other code. As per policy 4.13 those > should be packaged separately. > > https://wiki.debian.org/EmbeddedCodeCopies > Sure. > I see some places where it uses os.system(). That should switch to > using the subprocess module with shell disabled. > > The idea of this software is a bit concerning to me, it sounds like it > runs arbitrary Python code on the server and passes the results back > to the web. Exactly. > I would suggest auditing it to ensure that it isn't one > giant security hole. Please get CVEs for any issues that you find. > > http://oss-security.openwall.org/wiki/disclosure/cve > Yes, it is indeed something that might be problematic. AFAICS for now, it uses a withelist of python modules that are allowed (see [0]). That looks safe at first sight, but I fear there could be some kind of exploits if the "safe" modules have flaws... I'm not an expert in Python code security so I'd welcome any advices. In this respect, I can see the benefit of running it over a PaaS solution like Google App Engine (which is advertized by upstream author's site) in this respect, given that those Python execution environments may naturally be sandboxed, etc. Maybe a CGI sandboxing solution could be advised, for running over a "normal" Debian system ? Thanks in advance. Best regards, [0] https://github.com/pgbovine/OnlinePythonTutor/blob/master/v3/pg_logger.py#L112 -- Olivier BERGER http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8 Ingenieur Recherche - Dept INF Institut Mines-Telecom, Telecom SudParis, Evry (France) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8761oo498f....@inf-8660.int-evry.fr
