[mod_python] publisher security concerns

Allan Saddi asaddi at philosophysw.com
Mon Apr 8 15:05:28 EST 2002


I've found that this is only true when the module is loaded for
the first time. If the module is already loaded, regardless of
where it was loaded from, then you can access it via URL.

For example, since publisher.py imports base64, you can call
functions within base64 via URL:

  http://website/some/path/base64/encodestring?s=foobar

And this actually works for me. (Using FreeBSD 4.5, Apache
1.3.24, mod_python 2.7.6, Python 2.2)

My .htaccess is simply:

  PythonPath "['/some/directory', '/usr/local/lib/python2.2', '/usr/local/lib/python2.2/lib-dynload', '/usr/local/lib/python2.2/site-packages']"
  SetHandler python-program
  PythonHandler mod_python.publisher
  PythonDebug on

- Allan

On Mon, 8 Apr 2002, Javier Quinteros wrote:

> Don't be worried about Python standard modules. The only things that anyone
> can execute via URL is the scripts you have in the Directory defined in
> apache. This means that all the third-party modules can be placed in
> /usr/local/python2/lib (or whatever) with Python standard modules and will
> not be exposed via apache.
>
> Bye,




More information about the Mod_python mailing list