[mod_python] publisher security concerns

Giorgio Zoppi zoppi at cli.di.unipi.it
Thu Apr 11 18:27:44 EST 2002

On Wed, 10 Apr 2002, Gregory (Grisha) Trubetskoy wrote:

> After a little bit of thinking, this looks like essentially a bug - the
> Publisher (unlike the native mod_python handler) should not allow access
> to files that are not in the directory which is being requested.
> Another way to tackle it is require something like a __publish__ variable
> to be defined inside the module, but I think that would be overkill.
> This is obviously a serious security issue, so I will have to rush a
> release out the door to fix it.

You can allow people to list security policies.
For example: 
- these modules are safe, and can be used, ala default deny stance.
This however doesn't solve the issue, but allow to restrict
potential problems.

More information about the Mod_python mailing list