469,336 Members | 5,570 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,336 developers. It's quick & easy.

Python CGI Script

Hello,

I'm a data-structures course TA trying to write a python CGI script
for automatically compiling and testing students' projects.
Unfortunately, I've run into some questions while writing this, which I
couldn't solve with the various (and helpful) python-CGI documentation.
(It's possible that I'm posting to the wrong group; if so, I'd
appreciate suggestions for the appropriate group.)
1. In my HTML page, I have the following:

<form method="post" action="submission_processor.py"
enctype="multipart/form-data">
....
</form>

In the above, submission_processor.py is the python CGI script. I
didn't write a URL in the action field, since I'm first testing
everyting on a local machine (running FC4). The first line of
submission_processor.py is

#!/usr/bin/python

and I've done

chmod +x submission_processor.py

When I hit the "submit" button, my browser (Firefox on FC4) doesn't
run the script; it asks me whether it should open
submission_processor.py or save it to disk. I couldn't figure out why.

2. My HTML page has the option for an instructor to list the various
submissions and scores. Obviously, this should be inaccessible to
students. The instructor has a password for doing this, therefore.
Suppose I place the password inside a python script, and give this
script only +x permission for others. Is this adequate as far as security?
Thanks in advance for answering these questions.
Efrat
Oct 2 '05 #1
2 1844
Efrat Regev wrote:
Hello,

I'm a data-structures course TA trying to write a python CGI script
for automatically compiling and testing students' projects.
Unfortunately, I've run into some questions while writing this, which I
couldn't solve with the various (and helpful) python-CGI documentation.
(It's possible that I'm posting to the wrong group; if so, I'd
appreciate suggestions for the appropriate group.)
1. In my HTML page, I have the following:

<form method="post" action="submission_processor.py"
enctype="multipart/form-data">
...
</form>

In the above, submission_processor.py is the python CGI script. I
didn't write a URL in the action field, since I'm first testing
everyting on a local machine (running FC4). The first line of
submission_processor.py is

#!/usr/bin/python

and I've done

chmod +x submission_processor.py

When I hit the "submit" button, my browser (Firefox on FC4) doesn't
run the script; it asks me whether it should open
submission_processor.py or save it to disk. I couldn't figure out why.
You also have to have the executable script inside a directory that is
recognised as being a script directory (usually achieved with an Apache
ScriptAlias directive), or have the server otherwise recognise .py files
as executable (just setting the +x mode bit isn't enough).

In the absence of such knowledge the server just returns the content of
the file rather than the content produced by *executing* the file.
2. My HTML page has the option for an instructor to list the various
submissions and scores. Obviously, this should be inaccessible to
students. The instructor has a password for doing this, therefore.
Suppose I place the password inside a python script, and give this
script only +x permission for others. Is this adequate as far as security?
That depends on whether you wanted to use HTTP security (provided
automatically by the web server) or application security (provided by
your code).

In the case of a script which is for general running but where some of
the script's functionality shouldn't be generally available you are
stuck with the latter. It's OK to have passwords in your script as long
as you are sure that the script isn;t going to be served up as content
like it currently is!

Thanks in advance for answering these questions.
Efrat


regards
Steve
--
Steve Holden +44 150 684 7255 +1 800 494 3119
Holden Web LLC www.holdenweb.com
PyCon TX 2006 www.python.org/pycon/

Oct 2 '05 #2
Efrat,

I am afraid a CGI script is never *executed* by the browser. Instead, it sends
the URL to a server, expects the server to execute the script, and display the
server's response. If you just put a file name then (it seems, I never even
tried that) Firefox uses the local file store as a 'server' in that respect.

If you want to test a CGI script on your own machine, you should run a web
server on your own machine. That server should also be set up in a way that it
recognizes a '.py' file as a CGI script to be executed by Python (not all
servers may recognize the #! trick...).

This may look scary, but it is not that bad. Apache has a number of precompiled
binary versions that you can install on your machine; you can also use servers
like W3C's jigsaw (this relies on Java) or others. These are all free and easy
to install and, well, manageable to configure. Actually, in case you run on a
MacOS X by any chance, Apache is already installed afaik...

I hope this helps

Ivan
-------- Original Message --------
From: Efrat Regev <ef*********@yahoo.com>
To:
Subject: Python CGI Script
Date: 30/9/2005 12:50
Hello,

I'm a data-structures course TA trying to write a python CGI script
for automatically compiling and testing students' projects.
Unfortunately, I've run into some questions while writing this, which I
couldn't solve with the various (and helpful) python-CGI documentation.
(It's possible that I'm posting to the wrong group; if so, I'd
appreciate suggestions for the appropriate group.)
1. In my HTML page, I have the following:

<form method="post" action="submission_processor.py"
enctype="multipart/form-data">
...
</form>

In the above, submission_processor.py is the python CGI script. I
didn't write a URL in the action field, since I'm first testing
everyting on a local machine (running FC4). The first line of
submission_processor.py is

#!/usr/bin/python

and I've done

chmod +x submission_processor.py

When I hit the "submit" button, my browser (Firefox on FC4) doesn't
run the script; it asks me whether it should open
submission_processor.py or save it to disk. I couldn't figure out why.

2. My HTML page has the option for an instructor to list the various
submissions and scores. Obviously, this should be inaccessible to
students. The instructor has a password for doing this, therefore.
Suppose I place the password inside a python script, and give this
script only +x permission for others. Is this adequate as far as security?
Thanks in advance for answering these questions.
Efrat

Oct 2 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

28 posts views Thread by Erik Johnson | last post: by
2 posts views Thread by DeepBleu | last post: by
52 posts views Thread by Olivier Scalbert | last post: by
4 posts views Thread by Tom Purl | last post: by
17 posts views Thread by Paul Rubin | last post: by
3 posts views Thread by krzychu | last post: by
6 posts views Thread by manatlan | last post: by
37 posts views Thread by John Salerno | last post: by
6 posts views Thread by tatamata | last post: by
reply views Thread by suresh191 | last post: by
reply views Thread by Marylou17 | last post: by
1 post views Thread by Marylou17 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.