[mod_python] publisher security concerns

Javier Quinteros jquinte at fadu.uba.ar
Mon Apr 8 16:19:18 EST 2002

Hash: SHA1

Hi !!!
If you are worried about exposing some scripts that should "only" be used 
from other modules importing them, there's an easy solution (and I think it's 
the right one)... ;-)

Suppose you've got a script called interfacedb.py in your directory and it's 
full of functions that access your DB without checking anything, because you 
supose that it was imported from the modules that effectively do the 
checkings. The solution is to put this statement at the beggining of the 

__auth__ = {}

This way, you're telling apache that no one is authorize to access (execute) 
this script. You can only call the functions inside the script if you import 
it from other module. This way you should add this statement to every script 
you don't want to be execute directly, no matter what URL you ask your 

Sorry if I misunderstood your question....

Hope this help...

On Friday 05 April 2002 23:43, Allan Saddi wrote:
> Hi there,
> I'm using mod_python 2.7.6 on FreeBSD. I was playing around with
> the publisher handler today when I noticed something of concern.
> I scoured the mailing list archives to see if it was mentioned
> before, but I found no mention of it. (If it was discussed
> before, please point me to the approximate date of the thread.)
> Basically, if a module is loaded indirectly (via an import from
> within another module), an outside user will be able to call
> functions within that module afterward.
> So, for example, if I have a script foo.py that imports pgdb
> (PyGreSQL), and foo.py is later "published" by publisher,
> afterward, I will be able to call functions within pgdb through
> publisher. Note though that if a particular Apache child
> interpreter instance has never loaded foo.py, it will
> (rightfully) reject requests to pgdb.
> The problem seems to lie in mod_python.apache.import_module(),
> specifically this section of code:
>         # keep track of file modification time and
>         # try to reload it if it is newer
>         if sys.modules.has_key(module_name):
>             # the we won't even bother importing
>             module = sys.modules[module_name]
>             ...
> When path is specified and not None (as it normally is when
> import_module() is called from publisher), it is ignored if the
> module already exists in the global modules list (sys.modules).
> I'm a new mod_python user, so I'm not sure if this is a bug or
> an intended feature. The impact of this behavior seems to be
> limited to pure python modules, so thankfully, modules like os
> cannot be exploited this way.  Essentially though, publisher is
> exposing interfaces that the programmer may not know are
> exposed. And that could be bad...
> (Using my pgdb example, I was able to connect to my database
> using the right URL... I wasn't able to do much else beyond
> that, but that alone seemed scary enough.)
> - Allan Saddi
>   asaddi at philosophysw.com

- -- 
- ---------------------------------
Javier Quinteros
jquinte at fadu.uba.ar
Secretaría de Planificación
Universidad de Buenos Aires
- ---------------------------------
Existe un solo lugar donde el Norte y el Sur del mundo se enfrentan en
igualdad de condiciones: es una cancha de fútbol de Brasil, en la 
del río Amazonas. La línea del ecuador corta por la mitad el estadio Zerao, en
Amapá, de modo que cada equipo juega un tiempo en el sur y otro tiempo en el
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the Mod_python mailing list