[mod_python] Mod_python Security

Graham Dumpleton grahamd at dscpl.com.au
Thu Mar 2 15:06:50 EST 2006


Some more.

1. If using mod_python.psp and you have PythonDebug enabled
the source code for your PSP pages can be visible by virtue of
putting an underscore on the end of the extension. Eg. ".psp_".

It is thus a good idea not to have PyhthonDebug enabled for production
and/or public web site if using mod_python.psp. If you really need
PythonDebug to be on, only enable it for requests coming from
you own client machine in some way.

2. If Apache has write access to directories, it can drop ".pyc" files
into the directories for modules loaded. This extension isn't generally
protected and people can download the ".pyc" files and potentially
work out what your code is. Use something like:

   <Files *.pyc>
   deny from all
   </Files>

Depending on platform, may have to block access to ".pyo" files as
well.

3. PythonDebug in general can reveal stack traces to a client when
something goes wrong. In worst case, this may reveal secret information.

4. Try to avoid putting source code in actual directories visible to
Apache. Especially do not put sensitive information in such files.
The reason here is that it only takes one mistake in Apache  
configuration
and all your code would be visible.

5. If using an extension such as ".html" with AddHandler to map to
handler code in actual directory, ensure you block access to ".py"
extension if need be.

   <Files *.py>
   deny from all
   </Files>

6. If writing a custom handler, if wanting to return apache.DECLINED,
make sure you understand what it does. Specifically, it will cause the
builtin default Apache handler to still run, which will serve up static
files. Like above, you may need to deny access to certain files as a
result.

That is all I can think of for now. Sorry if some of it makes no sense,
am in a rush.

Graham

On 03/03/2006, at 12:54 AM, Nicolas Lehuen wrote:

> There's an important rule :
>
> If you use the publisher, everything which is defined in a published
> module is generally accessible from the web, except if its name begins
> with an underscore.
>
> For example :
>
> # index.py
> # BAD !
> secret_password = "foobar"
>
> def index(req,password):
>     if password != secret_password:
>         return util.redirect(req,'/rejected.html')
>     else:
>         return "Welcome !"
>
> Your secret password in accessible through
> http://my_server/my_folder/index.py/secret_password
>
> To make sure it won't be accessed, rename secret_password to  
> _secret_password.
>
> There are exceptions to this "everything is accessible" rule, namely
> imported modules, new-styles classes and built-in functions cannot be
> traversed nor published. This prevents basic leaks like being able to
> call sys.exit() from any published module that imports sys. Those
> rules are specified in the lib/python/mod_python/publisher.py file, if
> you are curious.
>
> But in any case, be aware that any string defined in a published
> module is accessible unless its name is prefixed by an underscore,
> which includes your precious database password.
>
> Regards,
> Nicolas
>
> 2006/3/2, Mike Looijmans <nlv11281 at natlab.research.philips.com>:
>> As with any server-side scripting, there's:
>>
>> - Cross-site scripting
>> - Code injection
>> - SQL injection
>>
>> But that's typically 'your' fault...
>>
>> Mike Looijmans
>> Philips Natlab / Topic Automation
>>
>>
>> marinus van aswegen wrote:
>>> Hi
>>>
>>> I'd like to publish my page but I'm not sure what security issues
>>> mod_python typically face.
>>> Any recommendations?
>>>
>>>
>>> Regards
>>>
>>>
>>> -------------------------------------------------------------------- 
>>> ----
>>>
>>> _______________________________________________
>>> Mod_python mailing list
>>> Mod_python at modpython.org
>>> http://mailman.modpython.org/mailman/listinfo/mod_python
>>
>> _______________________________________________
>> Mod_python mailing list
>> Mod_python at modpython.org
>> http://mailman.modpython.org/mailman/listinfo/mod_python
>>
>
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python



More information about the Mod_python mailing list