How to get the origin of a form in cgi python?

Asked

Viewed 239 times

2

Hello, I’m using python with cgi, for my forms. I need to get origin to make sure my website is safe, but I couldn’t find any information on it. The only thing I am doing for now is to recover the data that comes via post or via get:

#!/usr/bin/python2.7

import cgi
form = cgi.fieldStorage()

# pego uma opcao do post assim:
nome=""
if "nome" in form:
   nome=form["nome"].value

So, does anyone know which command I use to retrieve origin(the site where the form is coming from to access this page)?

1 answer

0

Short answer - but read below!!!

import os
origin = os.environ.get("REMOTE_HOST")

Some considerations: Pure CGI is not an interesting technology to be used in 2018. It was implemented in the "pre-web 1.0" times - in addition to drastic performance problems, it is a time when "all web applications have to implement everything": make by themselves all the session code, security, check entry, manually map your data to Python objects, write them to the database (or other means)

From the time when CGI was used most commonly for today’s complexity - and forms of attack on - WEB applications were multiplied by more than 100 times. As an example, a CGI request creates a new process, with a new Python interpreter, for each page request via HTTP. Already about 10 years ago even using a system thread (reusing the Python interpreter and the process) is considered "Overkill" - although it is still ok for apps without much traffic.

Understand what happens: the CGI engines of the web server fill the environment variable "REMOTE_HOST" with the contents of the HTTP "Origin" field. (You might even call cgi.print_environ_usage() to see other interesting environment variables).

However, as a "security mechanism", this variable and nothingness are the same thing. The "Origin" field is placed in the http header - in the normal operation of the application, this is done by the user’s browser, which fills the field with the domain on the site. However, anyone connected to the internet can make a "post" or "get" request to your server by filling in the http headers, including "origin" as they wish. This is actually one of the features of the http protocol, as it allows the implementation of Apis.

When creating a web application you have to be aware that anything that arrives on your server can come from anywhere on the internet, and with any content.

The only thing that can be guaranteed is that, at some point, before sending you a response, the HTTP client made some other request to your server (for example, to retrieve the html from the form itself) - this is done by using cryptographic tokens. But keep in mind that the entire code of the page is under third party control: can not guarantee any restriction of the values sent by the client, validation or anything: the client "browser" is free to create a completely arbitrary "POST" for your application.

Over decades (decades after the creation of CGI, by the way) of web applications, web frameworks have evolved, incorporating code that either implements alone, or encourages the use, of good security practices. The type of "attack" you are thinking of, for example, is mitigated by the use of "Cross Site Request Forgery" token Verification, and is put into (almost) automatic form by all frameworks in active development. And it is an "attack", unlike an arbitrary "POST" made by an API, why it could be used to embed posts to your site from javascript maliciously embedded in any other web page - so a user of your site who visited the other page could have the data stolen or tampered with.

So the recommendation is: Okay play a little with CGI to understand the mechanisms. But, as soon as possible, and especially, don’t put any applications on the air: use a web framework like flask, Django, Bottle and Python 3 (Python 2 is also an obsolete technology that is to be completely retired. If your computer is a Linux, Python 3 is available simply by typing "python3" instead of Python)

  • These python frameworks are too complex for me, I can’t.. I can only use the same cgi, I really imagined that origin would not be possible to protect, even so, thank you I will try this command

  • Frameworks only look complex if you try, without conehcer the framework, to get a ready application. They are large - and complex, because a functional web application needs everything it has to exist. Not using a framework means that in order for your application to be safe, you will have to recreate, in your code, everything frameworks do. Only that while they have 10, 15 years of work by dozens of volunteers, you would have to do it all yourself

  • That said: start from the beginning, without skipping steps - do the official flask tutorial. An application in Flask can be simpler than one in CGI.

  • It doesn’t work, I’ve tried it, it’s a lot to think about at the same time... I already have more difficulty using classes (object orientation), worse want me to use a framework that has to be edited here, edit there, it does not give... I’m like stratified programming, which does everything together, is much easier and more legible. And also more fun to implode security myself... But you’re right if I had flask ability would be cool, but I better than anyone know my limits

  • Try flask - with flask gives to do everything in the same file (including html templates, can be Python strings) - and you can access the database with the Python drviers and write sql directly, if sqlalchemy seems complicated. Ai, you put things as you need - but pure flask, without using forms and without sqlalchemy, can actually be simpler than CGI. My profile has my email. anything, write there.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.