[Biopython-dev] [Bug 2508] New: NCBIStandalone.blastall: provide support for '-F F' and make it safe

bugzilla-daemon at portal.open-bio.org bugzilla-daemon at portal.open-bio.org
Wed Jun 4 20:19:41 UTC 2008


http://bugzilla.open-bio.org/show_bug.cgi?id=2508

           Summary: NCBIStandalone.blastall:  provide support for '-F F' and
                    make it safe
           Product: Biopython
           Version: 1.44
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Main Distribution
        AssignedTo: biopython-dev at biopython.org
        ReportedBy: mmokrejs at ribosome.natur.cuni.cz


The local NCBI blast by default masks low-complexity region by SEG algorithm.
I do not see a variable to affect this in NCBIStandalone.blastall().

Luckily, NCBIStandalone.blastall() is an unsafe function and does not check
whether I pass multiple arguments in a value expected to be a string or number.
Thus, I can do:

_blast_out, _error_info = NCBIStandalone.blastall('/usr/bin/blastall',
'blastn', blast_db, _blast_file, matrix='IDENTITY -F 0')

but imagine I would have done:

_blast_out, _error_info = NCBIStandalone.blastall('/usr/bin/blastall',
'blastn', blast_db, _blast_file, matrix='IDENTITY -F 0; rm -rf /etc/passwd')

The function should be protected against such attacks like if it would have
been directly exposed to web users as a CGI script. I propose similar defensive
strategy for all functions calling os.system(), os.exec(), os.popen*(), etc.


-- 
Configure bugmail: http://bugzilla.open-bio.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the Biopython-dev mailing list