By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,660 Members | 1,100 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,660 IT Pros & Developers. It's quick & easy.

Python cgi

P: n/a
I'm currently writing my first CGI script (in Python), and I keep
getting an error I don't know how to address. I'm not sure if this is
a Python or Apache error, but I suspect it's an Apache config thing.
Anyway, in my code I need to upload a file, so in my HTML there's a
line like

File to upload <input type="file" name="myfile">

and in my Python code I try to read the file following the Python docs
and the Python Cookbook like

form = cgi.FieldStorage()
fileitem = form["myfile"]
if fileitem.file:
# file upload details...
else:
# print error stuff to page

The problem is that the "if fileitem.file" test is never true. After
some debugging I discovered that this is because fileitem is returned
as type MiniFieldStorage instead of FieldStorage, which is described as
"Like FieldStorage, for use when no file uploads are possible." There
are other fields in the form that are read just fine. Does anyone know
why no file uploads would be possible? I know very little about
configuring Apache, unfortunately.

Also, I need to run an external program with my CGI script using
something like os.system with flags from input forms, which is a major
security risk. Is it simply enough to test for flag.isalnum() or
should I do more to prevent random programs from being run? I should
also do some minimal DOS protection as well, so information on how to
do that simply would be appreciated as well.

Some system info:
Fedora Core 3
Apache 2.0.53
Python 2.3.4

Thanks,
Jeremy

Oct 21 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
jbrewer wrote:
I'm currently writing my first CGI script (in Python), and I keep
getting an error I don't know how to address. I'm not sure if this is
a Python or Apache error, but I suspect it's an Apache config thing.


I suspect it's neither :)
Make sure your HTML form looks like
<form method="post" enctype="multipart/form-data" ...etc,
e.g. action="foo.py">
Oct 21 '05 #2

P: n/a
"jbrewer" <je*************@gmail.com> writes:
Also, I need to run an external program with my CGI script using
something like os.system with flags from input forms, which is a major
security risk. Is it simply enough to test for flag.isalnum() or
should I do more to prevent random programs from being run? I should
also do some minimal DOS protection as well, so information on how to
do that simply would be appreciated as well.


Map the input data through a dictionary:

flags = dict(longflag = '-l', verboseflag = '-v', ...)
comflags = [flags[flag] for flag in flags if form[flag].value]
os.system(mycommand, *comflags)

or words to that effect. The critical thing is that data from over
the net never goes into the command, it's just used to look up values
in the dictionary, which provides strings you know are safe to pass to
the command.

The downside is that the client can only use flags your code knows
about. Of course, that's also an *upside*.

<mike
--
Mike Meyer <mw*@mired.org> http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.
Oct 21 '05 #3

P: n/a
I added enctype="multipart/form-data" to the <form> tag, and that
seemed to solve it. Thanks.

Jeremy

Oct 23 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.