Efrat Regev wrote: > Hello, > > I'm a data-structures course TA trying to write a python CGI script > for automatically compiling and testing students' projects. > Unfortunately, I've run into some questions while writing this, which I > couldn't solve with the various (and helpful) python-CGI documentation. > (It's possible that I'm posting to the wrong group; if so, I'd > appreciate suggestions for the appropriate group.) > > > 1. In my HTML page, I have the following: > > <form method="post" action="submission_processor.py" > enctype="multipart/form-data"> > ... > </form> > > In the above, submission_processor.py is the python CGI script. I > didn't write a URL in the action field, since I'm first testing > everyting on a local machine (running FC4). The first line of > submission_processor.py is > > #!/usr/bin/python > > and I've done > > chmod +x submission_processor.py > > When I hit the "submit" button, my browser (Firefox on FC4) doesn't > run the script; it asks me whether it should open > submission_processor.py or save it to disk. I couldn't figure out why. > You also have to have the executable script inside a directory that is recognised as being a script directory (usually achieved with an Apache ScriptAlias directive), or have the server otherwise recognise .py files as executable (just setting the +x mode bit isn't enough).
In the absence of such knowledge the server just returns the content of the file rather than the content produced by *executing* the file. > 2. My HTML page has the option for an instructor to list the various > submissions and scores. Obviously, this should be inaccessible to > students. The instructor has a password for doing this, therefore. > Suppose I place the password inside a python script, and give this > script only +x permission for others. Is this adequate as far as security? > That depends on whether you wanted to use HTTP security (provided automatically by the web server) or application security (provided by your code). In the case of a script which is for general running but where some of the script's functionality shouldn't be generally available you are stuck with the latter. It's OK to have passwords in your script as long as you are sure that the script isn;t going to be served up as content like it currently is! > > Thanks in advance for answering these questions. > > > Efrat regards Steve -- Steve Holden +44 150 684 7255 +1 800 494 3119 Holden Web LLC www.holdenweb.com PyCon TX 2006 www.python.org/pycon/ -- http://mail.python.org/mailman/listinfo/python-list