Security precautions for running python in cgi-bin

I've been writing python scripts that run locally. I would now like to offer开发者_如何学JAVA a service online using one of these python scripts and through the webhosting I have I can run python in the cgi-bin.

The python script takes input from an html form filled in by the user, has the credentials and connects with a local database, calculates stuff using python libraries and sends out the results as HTML to be displayed.

What I would like to know is what security precautions I should take. Here are my worries:

• What are the right file permissions for scripts called via web? 755?
• I am taking user input. How do I guarantee it is sanitized?
• I have user/pass for the database in the script. How do I prevent the script from being downloaded and the code seen?
• Can I install the other libraries next to the file? Do I have to worry about security of/in these as well? Do I set their permissions to 700? 744?
• Any other vulnerability I am unaware of?

check out owasp.org - you're now writing a web application, and you need to worry about everything web apps need to worry about. The list is too long and complicated to place here, but owasp is a good starting point.

• File permissions - 755 is reasonable.
• Sanitize your user input. That's how you guarantee it's sanitized. See this question.
• Don't let people download the code for the script. You could also put the username/password in some directory that can't be accessed via the web (like outside the servable directories).
• The best place to install other libraries is in your PYTHONPATH but outside the path Apache uses to serve things.
• Vulnerabilities abound. Watch out for displaying things the user types, as that leads to XSS problems.

What are the right file permissions for scripts called via web? 755?

Use mod_wsgi so that your scripts are not run as scripts but as functions under a WSGI application.

I am taking user input. How do I guarantee it is sanitized?

Use a framework like Django.

I have user/pass for the database in the script. How do I prevent the script from being downloaded and the code seen?

Use a framework like Django.

Can I install the other libraries next to the file?

Yes.

Do I have to worry about security of/in these as well?

Yes.

Do I set their permissions to 700? 744?

They must be readable. That's all. However, if you use mod_wsgi, life is simpler. If you use a framework, simpler still.

Any other vulnerability I am unaware of?

Tons. Please see the http://www.owasp.org site.

Also, please use a framework. Please don't reinvent everything yourself. Folks have already solved all of these problems.