[mod_python] publisher security concerns

Allan Saddi asaddi at philosophysw.com
Mon Apr 8 13:34:11 EST 2002


Hi Javier,

That was very helpful, and yes, it does actually sound like the
"right" solution. :) The only drawback is that any third-party
modules (that is, modules that you didn't write yourself) will
have to be modified similarly. This may or may not be an easy
task, depending on the number of such modules you use in your
project. (And what about Python standard modules?)

I guess I'm basically looking for a "deny by default" type of
solution, which can easily be done by modifying publisher. But
such changes would break publisher's generalness and existing
apps built around publisher, so I guess it's not a very useful
thing to implement in the mod_python distribution.

Thanks.
- Allan

On Mon, 8 Apr 2002, Javier Quinteros wrote:

> Hi !!!
> If you are worried about exposing some scripts that should "only" be used
> from other modules importing them, there's an easy solution (and I think it's
> the right one)... ;-)
>
> Suppose you've got a script called interfacedb.py in your directory and it's
> full of functions that access your DB without checking anything, because you
> supose that it was imported from the modules that effectively do the
> checkings. The solution is to put this statement at the beggining of the
> script:
>
> __auth__ = {}
>
> This way, you're telling apache that no one is authorize to access (execute)
> this script. You can only call the functions inside the script if you import
> it from other module. This way you should add this statement to every script
> you don't want to be execute directly, no matter what URL you ask your
> browser.
>
> Sorry if I misunderstood your question....
>
> Hope this help...




More information about the Mod_python mailing list