|
Jorey Bump
list at joreybump.com
Mon Jan 24 15:29:43 EST 2005
Nicolas Lehuen wrote:
> - some objects from the published modules are accessible through HTTP.
> This means that those modules are potentially subject to security
> problems. In mod_python.publisher, a non-callable object is simply
> transformed into a string and returned to the HTTP client. It's not a
> good idea, therefore, to have a variable named
> MY_VERY_SECRET_PRIVATE_KEY in the module... It's not even a good idea
> to import it ! Granted, some other publishers may secure what is
> accessible through HTTP and what is not (mine does), but anyway, it's
> a good idea to distinguish between published modules and the others.
That's disconcerting. Can you provide a sample showing how such a
variable would be exposed?
> - I personnaly think it's a good thing for published modules not to be
> compiled into a .pyc or .pyo file. Like for the previous point, my
> concern is about security : .pyc and .pyo file should not be
> accessible through HTTP, lest you want your code be dissassembled and
> your private key exposed. A simple .htaccess directive can solve this,
> but what about the zillion people who will forget about it ?
Ouch! I wasn't aware of this! Is this all that's necessary?
<FilesMatch "\.(pyc|pyo)$">
Order allow,deny
Deny from all
</FilesMatch>
Will that also cause the compiled versions not to be used by mod_python?
|