Rocksolid Light

News from da outaworlds

mail  files  register  groups  login

Message-ID:  

BOFH excuse #331: those damn raccoons!

comp / comp.lang.python / Re: Sanitise user input for a script

SubjectAuthor
o Re: Sanitise user input for a scriptSimon Connah

1
Subject: Re: Sanitise user input for a script
From: Simon Connah
Newsgroups: comp.lang.python
Date: Sat, 31 Aug 2024 04:51 UTC
References: 1 2 3
Attachments: "signature.asc" (application/pgp-signature)
Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!fu-berlin.de!uni-berlin.de!not-for-mail
From: simon.n.connah@protonmail.com (Simon Connah)
Newsgroups: comp.lang.python
Subject: Re: Sanitise user input for a script
Date: Sat, 31 Aug 2024 04:51:42 +0000
Lines: 124
Message-ID: <mailman.21.1725079910.2917.python-list@python.org>
References: <Y_Bag-4OjGfIUUu5xJIzjMhKnizgNZcYAf05yMBQT7n_j-eeooAwDo2e1yVK1FWLbhUeQLmRZ82ywJcyqs13yuDBuejH_fHBxwNHDBRm_1A=@protonmail.com>
<20240830202301.mb2coheew2yb46v4@hjp.at>
<gdUiGRXbte3q1N8WkstyWGE2R66TJOEiLiiy41NZHMyonY_27lL7Dkob1NTenKzBMMBND582nfTLI9xU5kouau_U0PLXVmy7hPQQem_kzpY=@protonmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
micalg=pgp-sha512;
boundary="------b965b0b5adc3fe9cc8990fe7d25ed24ab59fa7b52d5c9b5303ab71b5117b0a19";
charset=utf-8
X-Trace: news.uni-berlin.de pY8FvbWWNvAWDGCeiTGrYQhctuaH4LHzQ136a88YsosQ==
Cancel-Lock: sha1:c96TJZdrf7JPN/xwm27VD9ayrnw= sha256:ljCkCxGTKnRton2WMlhaDRI5AWjnMCrW1ZQfejNI6gI=
Return-Path: <simon.n.connah@protonmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
Authentication-Results: mail.python.org; dkim=pass
reason="2048-bit key; unprotected key"
header.d=protonmail.com header.i=@protonmail.com header.b=m7EohXLa;
dkim-adsp=pass; dkim-atps=neutral
X-Spam-Status: OK 0.005
X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; '(e.g.': 0.05; 'content-
type:multipart/signed': 0.05; 'filter': 0.07; 'string': 0.07;
'can,': 0.09; 'cc:addr:python-list': 0.09; 'content-
type:application/pgp-signature': 0.09; 'filename:fname piece:asc':
0.09; 'filename:fname piece:signature': 0.09;
'filename:fname:signature.asc': 0.09; 'subject:script': 0.09;
'cc:no real name:2**0': 0.14; '2024': 0.16; 'appended': 0.16;
'arguments': 0.16; 'attacker.': 0.16; 'content-
disposition:attachment; filename="signature.asc"': 0.16; 'holzer':
0.16; 'input,': 0.16; 'is).': 0.16; 'machine.': 0.16;
'protecting': 0.16; 'removes': 0.16; 'simon': 0.16; 'states:':
0.16; 'useful.': 0.16; 'wrote:': 0.16; 'python': 0.16; "aren't":
0.19; 'server.': 0.19; 'cc:addr:python.org': 0.20; 'input': 0.21;
'first,': 0.22; 'maybe': 0.22; "i'd": 0.24; 'cc:2**0': 0.25;
'friday,': 0.26; 'received:185.70': 0.26;
'received:protonmail.ch': 0.26; 'requests': 0.28; 'suggestions':
0.28; 'error': 0.29; 'think': 0.32; 'message-id:@protonmail.com':
0.32; 'python-list': 0.32; 'but': 0.32; "i'm": 0.33;
'subject:for': 0.33; 'there': 0.33; 'script': 0.33; 'server':
0.33; 'someone': 0.34; 'same': 0.34; 'header:In-Reply-To:1': 0.34;
'meaning': 0.35; 'received:ch': 0.35; 'cases': 0.36; 'those':
0.36; 'way': 0.38; 'could': 0.38; 'use': 0.39; 'much.': 0.39;
'still': 0.40; 'both': 0.40; 'best': 0.61; 'email': 0.63;
'validation': 0.64; 'your': 0.64; 'let': 0.66; 'content-
type:multipart/mixed': 0.68; 'exactly': 0.68; 'know.': 0.68;
'malicious': 0.69; 'manual': 0.70; 'chance': 0.71; 'received:185':
0.71; 'relevant': 0.73; 'quote': 0.74; '(you': 0.76;
'header:Received:2': 0.84; '(like': 0.84; 'characters': 0.84;
'legitimate': 0.84; 'name),': 0.84; 'prejudices': 0.84;
'transmit': 0.84; 'valid,': 0.84
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=protonmail3; t=1725079907; x=1725339107;
bh=FcfUFw8YCrUyLg5SDcigoBdg022/OEhdqgxRHO65mBg=;
h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
Message-ID:BIMI-Selector;
b=m7EohXLaESAnVicdL/6LQS/0ky9BlLYdnQQq5c1qewGipXkwsrvRWCDtUhIahL+Ql
Rqnjhy2I16wTVrT403vdodVYSeZ/vMU1FH/pQs3eKS46kelh3SxzmTzj8dZZcp61w+
kkmjbRER+b5TZ+Urh0B5GWVfaUnu8vgNSc95j0b5XNMHBfQLHXxcaW+xbdl4yLontZ
da0btfES5hnKkJurO1zvGFC8q25jQ+99/5+TDkSie4aeWn+NnzCNni11bKAIp/YosX
OrWnYqfmE2tuYRV35w2LhQFaGTWBMOk2HpfCL9U4bs9dVT926Vj1J7/iwrbwqvg2eM
AmvWq/ZuxOHHQ==
In-Reply-To: <20240830202301.mb2coheew2yb46v4@hjp.at>
Feedback-ID: 24074989:user:proton
X-Pm-Message-ID: 38693c16bd69586baf30bc4b35a67fa2b936df51
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
<python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
<mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
<mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <gdUiGRXbte3q1N8WkstyWGE2R66TJOEiLiiy41NZHMyonY_27lL7Dkob1NTenKzBMMBND582nfTLI9xU5kouau_U0PLXVmy7hPQQem_kzpY=@protonmail.com>
X-Mailman-Original-References: <Y_Bag-4OjGfIUUu5xJIzjMhKnizgNZcYAf05yMBQT7n_j-eeooAwDo2e1yVK1FWLbhUeQLmRZ82ywJcyqs13yuDBuejH_fHBxwNHDBRm_1A=@protonmail.com>
<20240830202301.mb2coheew2yb46v4@hjp.at>
View all headers

On Friday, 30 August 2024 at 21:23, Peter J. Holzer via Python-list <python-list@python.org> wrote:

>

>

> On 2024-08-30 19:18:29 +0000, Simon Connah via Python-list wrote:
>

> > I need to write a script that will take some user input (supplied on a
> > website) and then execute a Python script on a host via SSH. I'm
> > curious what the best options are for protecting against malicious
> > input in much the smae way as you sanitise SQL to protect against SQL
> > injections.
>

>

> (Aside: Don't "sanitize" SQL. Use placeholders.)
>

> > I could do it either on the website itself or by doing it on the host
> > machine.
>

>

> You will have to do it in the web site.
>

> The SSH manual states:
>

> | If supplied, the arguments will be appended to the command, separated by
> | spaces, before it is sent to the server to be executed.
>

> So whether you call
> ssh myhost print_args a b c
> or
> ssh myhost print_args a "b c"
> in both cases exactly the same string will be sent to myhost, and it
> won't have any chance to distinguish them.
>

> So you will either have to filter ("sanitize") the arguments or properly
> quote them before invoking SSH.
>

> > If someone has any suggestions I'd appreciated it. If you need more
> > information then please let me know.
>

>

> First, if there is any chance that your arguments can contain characters
> with meaning to the shell (like an apostrophe in a name), get the
> quoting correct. If you can, transmit those arguments in a different way
> (e.g. as input, maybe just nul-separated, may as JSON, or whatever).
>

> That removes the SSH-specific problems. There may still be problems with
> the python script on the host.
>

> Then, do all the validation you can on the web server. Reject all
> requests which aren't valid. But be sure to check against the relevant
> specifications, not your prejudices (You may not think that an
> apostrophe in an email address is valid, but it is). Include meaningful
> error messages (not just "input invalid"). Helping your legitimate users
> is more important than slightly inconveniencing an attacker.
>

Thank you very much. That is very useful.

Simon.

Attachments: "signature.asc" (application/pgp-signature)
1

rocksolid light 0.9.8
clearnet tor