Warning: mysqli::__construct(): (HY000/1203): User howardkn already has more than 'max_user_connections' active connections in D:\Inetpub\vhosts\howardknight.net\al.howardknight.net\includes\artfuncs.php on line 21
Failed to connect to MySQL: (1203) User howardkn already has more than 'max_user_connections' active connections
Warning: mysqli::query(): Couldn't fetch mysqli in D:\Inetpub\vhosts\howardknight.net\al.howardknight.net\index.php on line 66
Article <mailman.17.1725049899.2917.python-list@python.org>
Deutsch   English   Français   Italiano  
<mailman.17.1725049899.2917.python-list@python.org>

View for Bookmarking (what is this?)
Look up another Usenet article 
Path: ...!fu-berlin.de!uni-berlin.de!not-for-mail
From: "Peter J. Holzer" <hjp-python@hjp.at>
Newsgroups: comp.lang.python
Subject: Re: Sanitise user input for a script
Date: Fri, 30 Aug 2024 22:23:01 +0200
Lines: 84
Message-ID: <mailman.17.1725049899.2917.python-list@python.org>
References: <Y_Bag-4OjGfIUUu5xJIzjMhKnizgNZcYAf05yMBQT7n_j-eeooAwDo2e1yVK1FWLbhUeQLmRZ82ywJcyqs13yuDBuejH_fHBxwNHDBRm_1A=@protonmail.com>
 <20240830202301.mb2coheew2yb46v4@hjp.at>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="wzhthcyhhydbfge4"
X-Trace: news.uni-berlin.de dyQlmuDyQxuyH5grwI5UjwA8WYcXOWmajcCmjfUy0T1Q==
Cancel-Lock: sha1:or2qKMRmXs2QLQlUaU6vDwKwWFg= sha256:UDagIm+05We8h/Gn2b6VZoD5hravaIE+pN8JftQXGsA=
Return-Path: <hjp-python@hjp.at>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
Authentication-Results: mail.python.org; dkim=none reason="no signature";
 dkim-adsp=none (unprotected policy); dkim-atps=neutral
X-Spam-Status: OK 0.002
X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; '(e.g.': 0.05; 'content-
 type:multipart/signed': 0.05; 'filter': 0.07; 'string': 0.07;
 'can,': 0.09; 'content-type:application/pgp-signature': 0.09;
 'filename:fname piece:asc': 0.09; 'filename:fname
 piece:signature': 0.09; 'filename:fname:signature.asc': 0.09;
 'subject:script': 0.09; '"creative': 0.16; '__/': 0.16;
 'appended': 0.16; 'arguments': 0.16; 'attacker.': 0.16;
 'challenge!"': 0.16; 'from:addr:hjp-python': 0.16;
 'from:addr:hjp.at': 0.16; 'from:name:peter j. holzer': 0.16;
 'hjp@hjp.at': 0.16; 'holzer': 0.16; 'input,': 0.16; 'is).': 0.16;
 'machine.': 0.16; 'protecting': 0.16; 'reality.': 0.16; 'removes':
 0.16; 'simon': 0.16; 'states:': 0.16; 'stross,': 0.16; 'url-
 ip:212.17.106/24': 0.16; 'url-ip:212.17/16': 0.16; 'url:hjp':
 0.16; '|_|_)': 0.16; 'wrote:': 0.16; 'python': 0.16; "aren't":
 0.19; 'server.': 0.19; 'to:addr:python-list': 0.20; 'input': 0.21;
 'first,': 0.22; 'maybe': 0.22; "i'd": 0.24; 'sense': 0.28;
 'requests': 0.28; 'suggestions': 0.28; 'error': 0.29; 'think':
 0.32; 'python-list': 0.32; 'but': 0.32; "i'm": 0.33;
 'subject:for': 0.33; 'there': 0.33; 'script': 0.33; 'server':
 0.33; 'someone': 0.34; 'same': 0.34; 'header:In-Reply-To:1': 0.34;
 'meaning': 0.35; 'cases': 0.36; 'those': 0.36; 'way': 0.38;
 'could': 0.38; 'use': 0.39; 'still': 0.40; 'both': 0.40; 'best':
 0.61; 'received:212': 0.62; 'email': 0.63; 'validation': 0.64;
 'your': 0.64; 'let': 0.66; 'received:userid': 0.66; 'exactly':
 0.68; 'know.': 0.68; 'malicious': 0.69; 'url-ip:212/8': 0.69;
 'manual': 0.70; 'chance': 0.71; 'relevant': 0.73; 'quote': 0.74;
 '(you': 0.76; '(like': 0.84; 'characters': 0.84; 'legitimate':
 0.84; 'name),': 0.84; 'prejudices': 0.84; 'received:at': 0.84;
 'transmit': 0.84; 'valid,': 0.84
Mail-Followup-To: python-list@python.org
Content-Disposition: inline
In-Reply-To: <Y_Bag-4OjGfIUUu5xJIzjMhKnizgNZcYAf05yMBQT7n_j-eeooAwDo2e1yVK1FWLbhUeQLmRZ82ywJcyqs13yuDBuejH_fHBxwNHDBRm_1A=@protonmail.com>
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
 <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
 <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
 <mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <20240830202301.mb2coheew2yb46v4@hjp.at>
X-Mailman-Original-References: <Y_Bag-4OjGfIUUu5xJIzjMhKnizgNZcYAf05yMBQT7n_j-eeooAwDo2e1yVK1FWLbhUeQLmRZ82ywJcyqs13yuDBuejH_fHBxwNHDBRm_1A=@protonmail.com>
Bytes: 7284


--wzhthcyhhydbfge4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2024-08-30 19:18:29 +0000, Simon Connah via Python-list wrote:
> I need to write a script that will take some user input (supplied on a
> website) and then execute a Python script on a host via SSH. I'm
> curious what the best options are for protecting against malicious
> input in much the smae way as you sanitise SQL to protect against SQL
> injections.

(Aside: Don't "sanitize" SQL. Use placeholders.)


> I could do it either on the website itself or by doing it on the host
> machine.

You will have to do it in the web site.

The SSH manual states:

| If supplied, the arguments will be appended to the command, separated by
| spaces, before it is sent to the server to be executed.

So whether you call=20
    ssh myhost print_args a b c
or
    ssh myhost print_args a "b c"
in both cases exactly the same string will be sent to myhost, and it
won't have any chance to distinguish them.

So you will either have to filter ("sanitize") the arguments or properly
quote them before invoking SSH.

> If someone has any suggestions I'd appreciated it. If you need more
> information then please let me know.

First, if there is any chance that your arguments can contain characters
with meaning to the shell (like an apostrophe in a name), get the
quoting correct. If you can, transmit those arguments in a different way
(e.g. as input, maybe just nul-separated, may as JSON, or whatever).=20

That removes the SSH-specific problems. There may still be problems with
the python script on the host.

Then, do all the validation you can on the web server. Reject all
requests which aren't valid. But be sure to check against the relevant
specifications, not your prejudices (You may not think that an
apostrophe in an email address is valid, but it is). Include meaningful
error messages (not just "input invalid"). Helping your legitimate users
is more important than slightly inconveniencing an attacker.

        hp


--=20
   _  | Peter J. Holzer    | Story must make more sense than reality.
|_|_) |                    |
| |   | hjp@hjp.at         |    -- Charles Stross, "Creative writing
__/   | http://www.hjp.at/ |       challenge!"

--wzhthcyhhydbfge4
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEETtJbRjyPwVTYGJ5k8g5IURL+KF0FAmbSKiEACgkQ8g5IURL+
KF21pxAAiAPlIx7naxgvFb+1FXpKZSHb7ARDj9lhsY9CJMqZNA/gPio7jZPWvLgB
6FSDdDZ6wX4pV8QhaDdwj0bWpulEUf9xo3/bZ7bgd5gLaiZbSOYPG1na9W4dhPhs
hFKn4K+Oq9tFBvPUz/xGCXxtvJwlHelXQQTgyR1JpoIzmGwJUyvRqIwJ1AL9oJf3
o2mqgU8Ax7zIrccTxA4VkyVjz4bYlHAuQ+mryqkFyRloHRlCcZwAX7oHFqgwV0ly
FCnsHrqLCbs27ZDO/52wsEqB/iVFqw4EhQvBAlByJFfkUoTngVOZ1m2FLhdxRdal
MLCPlmpxemIpp/g+HG/Xr17fMpur7op8gToNEkl9SS1V7ak/Qgghv48QnX/DIYms
FVX80g7BY3nR3CZ1N3eIZ2lNaMERaSNvag3Qx+qs52rtuvs5C7fcpIO/5o2N5J0Y
lbaHXpCh+ZHG/VPpnXOmc15NgsF4tuCekfiYIuF3q95P05XHmIsALDQyXhioeRxd
+Q/vAD6ZCl7ZyfoFtI4Eca6b5Hd8SHklRAKg1lJ6Q40cxIrALNPWpc7Z+64hfX7B
1ttgPBU2lgeLqqvQY+wNknSXia1g1sR6QvtcZ2/AumUiQiGtEuA80jwHY3bfjfrZ
VUYXmtLKknxPq9hreXOMNCALL9E4jLUbLWFKrCYVrTxbziDGbdo=
=4+rh
-----END PGP SIGNATURE-----

--wzhthcyhhydbfge4--