In addition to all of the standard security concerns with CGI scripts,
if an attacker can observe the HTTP headers sent or received during a
connection then they can trivially insert input into the connection.
Also, with the same information and a connection using the polling method
an attacker can easily take over the connection.
For these reasons it is highly recommended that Urwid applications using
web_display be run over SSL, or run only on trusted networks.
How it Works
Browsers that support "Content-type: multipart/x-mixed-replace" such as
Mozilla Firefox open a single persistant connection for screen updates and
send keyboard input across separate short-lived connections.
Urwid applications run with this method are very much like standard CGI
scripts except that web_display handles all the input and output. When
there is a problem the application's error messages will appear in
Apache's error logs.
For legacy browsers Urwid also supports a polling method. These browsers
send separate requests for each screen update.
Once an Urwid application calls draw_screen(..) it will detach from Apache
and become a daemon. When there is a problem after the process has become
a daemon the error messages will be left in a file in the pipe_dir
configured (by default /tmp).
