[mod_python] psp_site example doesn't work

Jorey Bump list at joreybump.com
Mon Jan 24 16:12:39 EST 2005


Jorey Bump wrote:
> Nicolas Lehuen wrote:
> 
>> - some objects from the published modules are accessible through HTTP.
>> This means that those modules are potentially subject to security
>> problems. In mod_python.publisher, a non-callable object is simply
>> transformed into a string and returned to the HTTP client. It's not a
>> good idea, therefore, to have a variable named
>> MY_VERY_SECRET_PRIVATE_KEY in the module... It's not even a good idea
>> to import it ! Granted, some other publishers may secure what is
>> accessible through HTTP and what is not (mine does), but anyway, it's
>> a good idea to distinguish between published modules and the others.
> 
> 
> That's disconcerting. Can you provide a sample showing how such a 
> variable would be exposed?

Nevermind. I see that it's directly accessible via the URL:

  # foo.py
  secret = 'abc123'

accessible via:

  http://host/foo/secret

To fix:

  # foo.py
  _secret = 'abc123'

not accessible via:

  http://host/foo/_secret

Thank you for pointing this out, Nicolas. I have some editing to do...




More information about the Mod_python mailing list