How to use Python `secret` module to generate random integer? Question: In Python 3.6, new module, secrets, was added. What is the most efficient way to generate random integer in range [n, m) using this module? I tried choice(range(n, m)), but I doubt it is the best way. Asked By: Franz Wexler || Source Answers: …
Are PIP packages curated? Is it safe to install them? Question: With Debian or Ubuntu packages, there is some quality control. Is PIP similar, or is it a complete free-for-all? Can anyone upload any code they want under any name that they want? There seem to be some junk packages like https://pypi.python.org/pypi/opencv/0.0.1 which has the …
Secure Coding Guidelines for Python Question: Looking at the CERT Secure Standards (Example: https://www.securecoding.cert.org), there are specific standards, with great examples of what good and bad code looks like, for C, C++, Java, even Perl but not Python. Are there any Python specific standards are guidelines, preferably with examples available? http://www.pythonsecurity.org/ appears to be focused …
hash function in Python 3.3 returns different results between sessions Question: I’ve implemented a BloomFilter in python 3.3, and got different results every session. Drilling down this weird behavior got me to the internal hash() function – it returns different hash values for the same string every session. Example: >>> hash(“235”) -310569535015251310 —– opening a …
Encrypted and secure docker containers Question: We all know situations when you cannot go open source and freely distribute software – and I am in one of these situations. I have an app that consists of a number of binaries (compiled from C sources) and Python code that wraps it all into a system. This …
Custom url for django admin Question: For an extra little bit of security I want to change the default django admin url to the custom one, e.g. change mysite.com/admin/ to mysite.com/mysecretadmin/ so that admin is completely unaccessible via default url. I tried some solutions from the internet, for example I changed urls.py like this: from …
What are the risks of running 'sudo pip'? Question: Occasionally I run into comments or responses that state emphatically that running pip under sudo is "wrong" or "bad", but there are cases (including the way I have a bunch of tools set up) where it is either much simpler, or even necessary to run it …
Python/Django – Avoid saving passwords in source code Question: I use Python and Django to create web applications, which we store in source control. The way Django is normally set up, the passwords are in plain text within the settings.py file. Storing my password in plain text would open me up to a number of …
Do CSRF attacks apply to API's? Question: I’m writing a Django RESTful API to back an iOS application, and I keep running into Django’s CSRF protections whenever I write methods to deal with POST requests. My understanding is that cookies managed by iOS are not shared by applications, meaning that my session cookies are safe, …
Attacking Python's pickle Question: I’m writing a web app that stores user input in an object. This object will be pickled. Is it possible for a user to craft malicious input that could do something egregious when the object is unpickled? Here’s a really basic code example that ignores wonderful principles such as encapsulation but …
