[Biopython-dev] [Bug 2508] New: NCBIStandalone.blastall: provide support for '-F F' and make it safe
bugzilla-daemon at portal.open-bio.org
bugzilla-daemon at portal.open-bio.org
Wed Jun 4 20:19:41 UTC 2008
http://bugzilla.open-bio.org/show_bug.cgi?id=2508
Summary: NCBIStandalone.blastall: provide support for '-F F' and
make it safe
Product: Biopython
Version: 1.44
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Main Distribution
AssignedTo: biopython-dev at biopython.org
ReportedBy: mmokrejs at ribosome.natur.cuni.cz
The local NCBI blast by default masks low-complexity region by SEG algorithm.
I do not see a variable to affect this in NCBIStandalone.blastall().
Luckily, NCBIStandalone.blastall() is an unsafe function and does not check
whether I pass multiple arguments in a value expected to be a string or number.
Thus, I can do:
_blast_out, _error_info = NCBIStandalone.blastall('/usr/bin/blastall',
'blastn', blast_db, _blast_file, matrix='IDENTITY -F 0')
but imagine I would have done:
_blast_out, _error_info = NCBIStandalone.blastall('/usr/bin/blastall',
'blastn', blast_db, _blast_file, matrix='IDENTITY -F 0; rm -rf /etc/passwd')
The function should be protected against such attacks like if it would have
been directly exposed to web users as a CGI script. I propose similar defensive
strategy for all functions calling os.system(), os.exec(), os.popen*(), etc.
--
Configure bugmail: http://bugzilla.open-bio.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the Biopython-dev
mailing list