Jorey Bump
list at joreybump.com
Mon Jan 24 15:29:43 EST 2005
Nicolas Lehuen wrote: > - some objects from the published modules are accessible through HTTP. > This means that those modules are potentially subject to security > problems. In mod_python.publisher, a non-callable object is simply > transformed into a string and returned to the HTTP client. It's not a > good idea, therefore, to have a variable named > MY_VERY_SECRET_PRIVATE_KEY in the module... It's not even a good idea > to import it ! Granted, some other publishers may secure what is > accessible through HTTP and what is not (mine does), but anyway, it's > a good idea to distinguish between published modules and the others. That's disconcerting. Can you provide a sample showing how such a variable would be exposed? > - I personnaly think it's a good thing for published modules not to be > compiled into a .pyc or .pyo file. Like for the previous point, my > concern is about security : .pyc and .pyo file should not be > accessible through HTTP, lest you want your code be dissassembled and > your private key exposed. A simple .htaccess directive can solve this, > but what about the zillion people who will forget about it ? Ouch! I wasn't aware of this! Is this all that's necessary? <FilesMatch "\.(pyc|pyo)$"> Order allow,deny Deny from all </FilesMatch> Will that also cause the compiled versions not to be used by mod_python?
|