|
Graham Dumpleton
grahamd at dscpl.com.au
Wed Dec 14 22:01:15 EST 2005
Roberto C. Sanchez wrote .. > Graham Dumpleton wrote: > > > > Another non obvious problem which arises because of this arrangement > is > > that if the second instance of Apache you are running has write access > > to the directories, it will dump Python .pyc files. If you are then only > > using AddHandler and not SetHandler, there will be nothing to stop > > someone specifying a URL which targets the .pyc files and they will be > > able to download them also and then decompile them, thus potentially > > getting access to sensitive information. > > > > Good idea to have an excplicit rule: > > > > <Files *.pyc> > > deny from all > > </Files> > > > > I had not considered that. However, I don't see any .pyc files anywhere > under ~/public_html/. If you are using mod_python.psp you will not, but if you use PythonHandler to target a handler .py file in ~/public_html, or you are using mod_python version 3.1.4 or older and mod_python.publisher, you can. Graham
|