[mod_python] Newbie Publisher Handler questions

Jorey Bump list at joreybump.com
Wed Dec 29 11:20:56 EST 2004

John Ward wrote:

> 1. With mod_python, do I no longer have to worry about limiting the path 
> available to the script?  (I do my best to maintain an appropriate level 
> of paranoia, so one thing I'd like to learn is what security mod_python 
> handles for me and what security I need to write into my scripts.)

Frankly, I'd leave the path alone. Depending on your environment, it 
could affect other users or applications. For example, if I set the 
environment path using mod_python in a virtual host, it also changes the 
path for perl CGI scripts, where the correct path is more likely to 
matter. It may seem fine in an environment you control, but makes your 
application less portable. If you must use popen, set up a variable that 
contains the complete path to your binary,  and change that when you 
deploy it somewhere else. With that said, your mod_python applications 
will have the same rights as the apache user, so plan accordingly.

For mod_python newbies, here's a simple module to show your path, using 
the publisher handler:

# path.py
import os
def show(req):
	# uncomment to set path
         # os.environ['PATH'] = '/usr/bin:/bin'
         return os.environ['PATH']

Access it via http://host/path.py/show

> 2. How do mod_python programmers typically handle sanitizing form input?

For me, this depends on the intended use of the data, and also partly on 
the version of python. For simple validation, I might turn the input 
into a list and check the members for illegal characters. The sets 
module introduced in python 2.3 is now a built-in in 2.4, making this a 
trivial task. But if your application might run under older versions of 
python, you'll have to use something a bit more universal.

For database input, I use placeholders, somewhere along these lines:

     query = """INSERT INTO users ( name, quest ) VALUES ( %s, %s )"""
     cursor = dbh.cursor()
     cursor.execute(query, (req.formdata['name'], req.formdata['quest']))

Note that this is *not* typical python string replacement. This 
construct allows you to send any VALUE string to the database, with 
necessary escapes inserted behind the scenes. It's very handy. You are 
encouraged to find out more about python and placeholders for your db 
and test it on your platform (I found a lot of misleading info, but the 
form above works best for me when using MySQLdb).

> 3. Assuming one has an SMTP server listening on localhost, what is the 
> recommended way to add messages to the mail queue?

I prefer smtplib because it's portable, powerful, and offers excellent 
error handling. Of course, if you want the message queued instead of 
sent immediately, you'll need to configure your SMTP daemon to do so. 
You could do this for the MSA on port 587 to avoid running a separate 

> 4. When writing CGI scripts in Perl using CGI.pm, one has the option of 
> limiting the size of POSTs by setting a value for the '$MAX_POST' 
> variable.  Is there a way to do this using mod_python?  Or is this even 
> something I need to worry about?

I haven't run into a need for this, but I do have some textarea form 
inputs that I'm concerned about, so I'd be interested if this is 
possible, as well.

More information about the Mod_python mailing list