[mod_python] psp_site example doesn't work

Jorey Bump list at joreybump.com
Mon Jan 24 15:29:43 EST 2005


Nicolas Lehuen wrote:

> - some objects from the published modules are accessible through HTTP.
> This means that those modules are potentially subject to security
> problems. In mod_python.publisher, a non-callable object is simply
> transformed into a string and returned to the HTTP client. It's not a
> good idea, therefore, to have a variable named
> MY_VERY_SECRET_PRIVATE_KEY in the module... It's not even a good idea
> to import it ! Granted, some other publishers may secure what is
> accessible through HTTP and what is not (mine does), but anyway, it's
> a good idea to distinguish between published modules and the others.

That's disconcerting. Can you provide a sample showing how such a 
variable would be exposed?

> - I personnaly think it's a good thing for published modules not to be
> compiled into a .pyc or .pyo file. Like for the previous point, my
> concern is about security : .pyc and .pyo file should not be
> accessible through HTTP, lest you want your code be dissassembled and
> your private key exposed. A simple .htaccess directive can solve this,
> but what about the zillion people who will forget about it ?

Ouch! I wasn't aware of this! Is this all that's necessary?

<FilesMatch "\.(pyc|pyo)$">
     Order allow,deny
     Deny from all
</FilesMatch>

Will that also cause the compiled versions not to be used by mod_python?




More information about the Mod_python mailing list