Re: Best-practice / howto packaging of CGI-based Web app ?

[Paul Wise <pabs@debian.org>]

On Thu, Feb 6, 2014 at 8:43 AM, Paul Wise wrote:

> Which CGI are we talking about? Perhaps we can give more specific advice.

I guess you mean Online Python Tutor (#737732).

Looking at the git repo, it includes a lot of embedded code copies of
various JavaScript libraries and other code. As per policy 4.13 those
should be packaged separately.

https://wiki.debian.org/EmbeddedCodeCopies

I see some places where it uses os.system(). That should switch to
using the subprocess module with shell disabled.

The idea of this software is a bit concerning to me, it sounds like it
runs arbitrary Python code on the server and passes the results back
to the web. I would suggest auditing it to ensure that it isn't one
giant security hole. Please get CVEs for any issues that you find.

http://oss-security.openwall.org/wiki/disclosure/cve

-- 
bye,
pabs

http://wiki.debian.org/PaulWise