Secure Python code - volunteers for code review?

andrew blah

Hello

I have recently released catchmail - a free (BSD license) open source
Python utility www.users.bigpond.net.au/mysite/catchmail.htm

This script processes in and outbound emails and stores them to a
database.

The source code is here:
http://www.users.bigpond.net.au/mysi...t/catchmail.py

It's not a very long script (about 300 lines or so).

I'm quite concerned however about security and I'd like catchmail to be
as secure as possible. What can be done to verify the security of this
script?

I would really value it if any security aware Python guru was able to
review the code from a security perspective. It would be good to
ensure that python or sql code planted in an email or an attachment
could not execute and break out of the script - or that any other
security issue might arise. But how - I don't have anything near the
level of Python expertise required to properly assess this script for
security risk? If someone has the time to do a code review it would be
much appreciated.

Thanks in advance

Andrew Stuart
andrew dot stuart at xse dot com dot au

Jul 18 '05 #1

Subscribe Post Reply

2063

Josiah Carlson

> I would really value it if any security aware Python guru was able to

review the code from a security perspective. It would be good to
ensure that python or sql code planted in an email or an attachment
could not execute and break out of the script - or that any other
security issue might arise. But how - I don't have anything near the
level of Python expertise required to properly assess this script for
security risk? If someone has the time to do a code review it would be
much appreciated.

You can save yourself many concerns by encoding your data in some
fashion that cannot be understood by the database to mean anything. Hex
works well for that.

In terms of general script security, you should be more specific about
what you are worried about.

- Josiah

Jul 18 '05 #2

Cliff Wells

On Tue, 2004-10-12 at 20:52 -0700, Josiah Carlson wrote:

I would really value it if any security aware Python guru was able to
review the code from a security perspective. It would be good to
ensure that python or sql code planted in an email or an attachment
could not execute and break out of the script - or that any other
security issue might arise. But how - I don't have anything near the
level of Python expertise required to properly assess this script for
security risk? If someone has the time to do a code review it would be
much appreciated.

You can save yourself many concerns by encoding your data in some
fashion that cannot be understood by the database to mean anything. Hex
works well for that.

A more straightforward way is to simply use prepare() religiously. This
also avoids the headache of having to decode your data if you use a
different program to access it (such as psql or mysql).

Regards,
Cliff

--
Cliff Wells <cl************@comcast.net>

Jul 18 '05 #3

Gerhard Haering

On Tue, Oct 12, 2004 at 10:25:58PM -0700, Cliff Wells wrote:

[Josiah Carlson requests a security review of his code storing/receiving
email data from a PostgreSQL database]

A more straightforward way is to simply use prepare() religiously.
This also avoids the headache of having to decode your data if you
use a different program to access it (such as psql or mysql).

There's no prepare() in the DB-API. Letting the database module do the
quoting should be enough to stay clear of SQL injection attacks.

And this his code does, from what I can see. The SQL stuff is hard to
read for me, though. Maybe the database access code should be factored
out more and put in a class of its own.

-- Gerhard

Jul 18 '05 #4

Gerhard Haering

On Tue, Oct 12, 2004 at 08:52:31PM -0700, Josiah Carlson wrote:

You can save yourself many concerns by encoding your data in some
fashion that cannot be understood by the database to mean anything.
Hex works well for that.

Looks like overkill to me. If you let the DB-API do the quoting (by
providing both SQL statements and parameters to the execute method,
which he does), you're on the safe side IMO.

Using TEXT and VARCHAR fields for emails is the way to go IMO. No need
for any fancy BLOB/BYTEA column types, because emails cannot contain
chr(0) anyway. If you want to search and/or compare, then you should
be aware of possible charset issues, though.

-- Gerhard

Jul 18 '05 #5

Cliff Wells

On Wed, 2004-10-13 at 16:53 +0200, Gerhard Haering wrote:

On Tue, Oct 12, 2004 at 10:25:58PM -0700, Cliff Wells wrote:
[Josiah Carlson requests a security review of his code storing/receiving
email data from a PostgreSQL database]

A more straightforward way is to simply use prepare() religiously.
This also avoids the headache of having to decode your data if you
use a different program to access it (such as psql or mysql).

There's no prepare() in the DB-API. Letting the database module do the
quoting should be enough to stay clear of SQL injection attacks.

Ah, right. Too much language switching and not enough sleep (it's
8:00AM here and I haven't seen a bed yet) :P

--
Cliff Wells <cl************@comcast.net>

Jul 18 '05 #6

andrew blah

Thank you all very much for your helpful comments. I will take them
into account.

A few people credited me here with having written the code. Kind - but
I'm the project lead - not the person who wrote the code. The code was
written by Mark Hammond - that would explain why it is well written.

Thanks again to all for the comments and guidance - most helpful.
Regards

Andrew Stuart

Jul 18 '05 #7

Similar topics

My only complaint about Python

by: Darren Dale | last post by:

I love the language. I love the community. My only complaint is that Python for Windows is built with Visual Studio. It is too difficult to build python, or a module, from source. This is what...

Python

Python 2.3.5 ?

by: Luis M. Gonzalez | last post by:

I'm confussed... Python 2.4 (final) hs been released a few days ago, but now I see that Python 2.3.5 is being worked on. Why? What does it mean?

Python

[perl-python] Python documentation moronicities (continued)

by: Xah Lee | last post by:

http://python.org/doc/2.4.1/lib/module-re.html http://python.org/doc/2.4.1/lib/node114.html --------- QUOTE The module defines several functions, constants, and an exception. Some of the...

Python

CERT C Programming Language Secure Coding Standard

by: Robert Seacord | last post by:

The CERT/CC has just deployed a new web site dedicated to developing secure coding standards for the C programming language, C++, and eventually other programming language. We have already...

C / C++

PSF Infrastructure has chosen Roundup as the issue tracker for Python development [repost]

by: bcannon | last post by:

At the beginning of the month the PSF Infrastructure committee announced that we had reached the decision that JIRA was our recommendation for the next issue tracker for Python development....

Python

Python Extension Building Network

by: kyosohma | last post by:

Hi, I am trying to get a small group of volunteers together to create Windows binaries for any Python extension developer that needs them, much like the package/extension builders who volunteer...

Python

Migrating Website to Cloud - Emmanuel Katto

by: emmanuelkatto | last post by:

Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel

General

Looking to do Android software development, any suggestions? Is flutter better?

by: nemocccc | last post by:

hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?

General

Is that possible of reading the .csv file in column wise and the column have different lengths ?

by: Sonnysonu | last post by:

This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...

C / C++

How to build RAID in BIOS?

by: Hystou | last post by:

There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...

Computer Hardware

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...

General

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...

Windows Server

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...

Online Marketing

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...

Career Advice

Access Europe - Using VBA to create a class based on a table - Wed 1 May

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...

Microsoft Access / VBA