Jorey Bump
list at joreybump.com
Mon Jan 24 16:12:39 EST 2005
Jorey Bump wrote: > Nicolas Lehuen wrote: > >> - some objects from the published modules are accessible through HTTP. >> This means that those modules are potentially subject to security >> problems. In mod_python.publisher, a non-callable object is simply >> transformed into a string and returned to the HTTP client. It's not a >> good idea, therefore, to have a variable named >> MY_VERY_SECRET_PRIVATE_KEY in the module... It's not even a good idea >> to import it ! Granted, some other publishers may secure what is >> accessible through HTTP and what is not (mine does), but anyway, it's >> a good idea to distinguish between published modules and the others. > > > That's disconcerting. Can you provide a sample showing how such a > variable would be exposed? Nevermind. I see that it's directly accessible via the URL: # foo.py secret = 'abc123' accessible via: http://host/foo/secret To fix: # foo.py _secret = 'abc123' not accessible via: http://host/foo/_secret Thank you for pointing this out, Nicolas. I have some editing to do...
|