[mod_python] psp_site example doesn't work

Nicolas Lehuen nicolas.lehuen at gmail.com
Tue Jan 25 02:10:24 EST 2005 

On Mon, 24 Jan 2005 15:29:43 -0500, Jorey Bump <list at joreybump.com> wrote:
> Nicolas Lehuen wrote:
> 
> > - some objects from the published modules are accessible through HTTP.
> > This means that those modules are potentially subject to security
> > problems. In mod_python.publisher, a non-callable object is simply
> > transformed into a string and returned to the HTTP client. It's not a
> > good idea, therefore, to have a variable named
> > MY_VERY_SECRET_PRIVATE_KEY in the module... It's not even a good idea
> > to import it ! Granted, some other publishers may secure what is
> > accessible through HTTP and what is not (mine does), but anyway, it's
> > a good idea to distinguish between published modules and the others.
> 
> That's disconcerting. Can you provide a sample showing how such a
> variable would be exposed?

Here is the test I did yesterday to check my assertion :

## index.py
import mod_python, sys, time

SECRET = "Hello, world !"

def index(req):
    req.content_type='text/html'
    return """<html><head><title>mod_python.publisher info</title></head><body>
    <p>mod_python.publisher runs !</p>
    <p>Now: %s</p>
    <p>Python version : <code>%s</code></p>
    <p>Python path : <code>%s</code></p>
    <p><a href="pspinfo.psp">mode_python.psp info</a></p>
</body></html>""" % (time.ctime(),sys.version,sys.path)

If you call http://localhost/index.py , you get an information page.
If you call http://localhost/index.py/SECRET, then you get the
supposedly super secret variable, direclty displayed in your browser.

( BTW, I think we should provide a built-in test handler that would
reside in the PYTHONPATH like the mod_python.* modules. This way,
users would be able to test the basic mod_python installation without
having problems with the mptest.py business. )
 
> > - I personnaly think it's a good thing for published modules not to be
> > compiled into a .pyc or .pyo file. Like for the previous point, my
> > concern is about security : .pyc and .pyo file should not be
> > accessible through HTTP, lest you want your code be dissassembled and
> > your private key exposed. A simple .htaccess directive can solve this,
> > but what about the zillion people who will forget about it ?
> 
> Ouch! I wasn't aware of this! Is this all that's necessary?
> 
> <FilesMatch "\.(pyc|pyo)$">
>      Order allow,deny
>      Deny from all
> </FilesMatch>

Yes, though I'd rather write "\.py[co]$" (it should be slightly more
efficient, performance-wise).
 
> Will that also cause the compiled versions not to be used by mod_python?

No. The import mechanism of mod_python and the authorization mechanism
of Apache are totally orthogonal.

More information about the Mod_python mailing list