[mod_python] Newbie Publisher Handler questions

John Ward jbward at berkeley.edu
Mon Jan 3 15:53:40 EST 2005

Hi Jorey,

Thanks for the reply.  This information is helpful.  I wasn't familiar with 
the 'sets' module so I'll take a look at it.

Thanks again.


At 11:20 AM 12/29/2004 -0500, Jorey Bump wrote:
>John Ward wrote:
>>1. With mod_python, do I no longer have to worry about limiting the path 
>>available to the script?  (I do my best to maintain an appropriate level 
>>of paranoia, so one thing I'd like to learn is what security mod_python 
>>handles for me and what security I need to write into my scripts.)
>Frankly, I'd leave the path alone. Depending on your environment, it could 
>affect other users or applications. For example, if I set the environment 
>path using mod_python in a virtual host, it also changes the path for perl 
>CGI scripts, where the correct path is more likely to matter. It may seem 
>fine in an environment you control, but makes your application less 
>portable. If you must use popen, set up a variable that contains the 
>complete path to your binary,  and change that when you deploy it 
>somewhere else. With that said, your mod_python applications will have the 
>same rights as the apache user, so plan accordingly.
>For mod_python newbies, here's a simple module to show your path, using 
>the publisher handler:
># path.py
>import os
>def show(req):
>         # uncomment to set path
>         # os.environ['PATH'] = '/usr/bin:/bin'
>         return os.environ['PATH']
>Access it via http://host/path.py/show
>>2. How do mod_python programmers typically handle sanitizing form input?
>For me, this depends on the intended use of the data, and also partly on 
>the version of python. For simple validation, I might turn the input into 
>a list and check the members for illegal characters. The sets module 
>introduced in python 2.3 is now a built-in in 2.4, making this a trivial 
>task. But if your application might run under older versions of python, 
>you'll have to use something a bit more universal.
>For database input, I use placeholders, somewhere along these lines:
>     query = """INSERT INTO users ( name, quest ) VALUES ( %s, %s )"""
>     cursor = dbh.cursor()
>     cursor.execute(query, (req.formdata['name'], req.formdata['quest']))
>Note that this is *not* typical python string replacement. This construct 
>allows you to send any VALUE string to the database, with necessary 
>escapes inserted behind the scenes. It's very handy. You are encouraged to 
>find out more about python and placeholders for your db and test it on 
>your platform (I found a lot of misleading info, but the form above works 
>best for me when using MySQLdb).
>>3. Assuming one has an SMTP server listening on localhost, what is the 
>>recommended way to add messages to the mail queue?
>I prefer smtplib because it's portable, powerful, and offers excellent 
>error handling. Of course, if you want the message queued instead of sent 
>immediately, you'll need to configure your SMTP daemon to do so. You could 
>do this for the MSA on port 587 to avoid running a separate instance.
>>4. When writing CGI scripts in Perl using CGI.pm, one has the option of 
>>limiting the size of POSTs by setting a value for the '$MAX_POST' 
>>variable.  Is there a way to do this using mod_python?  Or is this even 
>>something I need to worry about?
>I haven't run into a need for this, but I do have some textarea form 
>inputs that I'm concerned about, so I'd be interested if this is possible, 
>as well.
>Mod_python mailing list
>Mod_python at modpython.org

More information about the Mod_python mailing list