|
Allan Saddi
asaddi at philosophysw.com
Fri Apr 5 18:43:55 EST 2002
Hi there,
I'm using mod_python 2.7.6 on FreeBSD. I was playing around with
the publisher handler today when I noticed something of concern.
I scoured the mailing list archives to see if it was mentioned
before, but I found no mention of it. (If it was discussed
before, please point me to the approximate date of the thread.)
Basically, if a module is loaded indirectly (via an import from
within another module), an outside user will be able to call
functions within that module afterward.
So, for example, if I have a script foo.py that imports pgdb
(PyGreSQL), and foo.py is later "published" by publisher,
afterward, I will be able to call functions within pgdb through
publisher. Note though that if a particular Apache child
interpreter instance has never loaded foo.py, it will
(rightfully) reject requests to pgdb.
The problem seems to lie in mod_python.apache.import_module(),
specifically this section of code:
# keep track of file modification time and
# try to reload it if it is newer
if sys.modules.has_key(module_name):
# the we won't even bother importing
module = sys.modules[module_name]
...
When path is specified and not None (as it normally is when
import_module() is called from publisher), it is ignored if the
module already exists in the global modules list (sys.modules).
I'm a new mod_python user, so I'm not sure if this is a bug or
an intended feature. The impact of this behavior seems to be
limited to pure python modules, so thankfully, modules like os
cannot be exploited this way. Essentially though, publisher is
exposing interfaces that the programmer may not know are
exposed. And that could be bad...
(Using my pgdb example, I was able to connect to my database
using the right URL... I wasn't able to do much else beyond
that, but that alone seemed scary enough.)
- Allan Saddi
asaddi at philosophysw.com
|