Does Python/UWSGI require security settings like PHP does?
I'll probably be starting on my first Python web application soon. With PHP, I always set a bunch of security-related settings, e.g.:
php_admin_value[disable_functions] = apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode, symlink
As well as open_basedir and disabling version information/error logging once things go live.. nginx also requires something like this in the PHP-FPM block:
try_files $uri =404;
Does Pyhon/UWSGI with Nginx require similar settings? I want to prevent python from being able to execute shell commands and access files outside of the allowed paths. (I'm assuming webhosts must have something similar since they don't want users to access the files of other users in a shared hosting environment).
Thanks!
2 Replies
You can't easily disable functions in Python but it shouldn't really be necessary. There is at least one specific function that is a bad idea to call from a Python web app, namely eval(), and then a large set of functions where you need to be very very careful to make sure the function parameters are sanitized if they contain any user input, for example any functions in the os module.
For Python you mostly need to be aware of the OWASP Top 10
For uWSGI specifically I can't say, but anything special there should be discussed in uWSGI documentation.
Thanks !