nicolas.lehuen at gmail.com
Tue Jan 25 02:10:24 EST 2005
On Mon, 24 Jan 2005 15:29:43 -0500, Jorey Bump <list at joreybump.com> wrote: > Nicolas Lehuen wrote: > > > - some objects from the published modules are accessible through HTTP. > > This means that those modules are potentially subject to security > > problems. In mod_python.publisher, a non-callable object is simply > > transformed into a string and returned to the HTTP client. It's not a > > good idea, therefore, to have a variable named > > MY_VERY_SECRET_PRIVATE_KEY in the module... It's not even a good idea > > to import it ! Granted, some other publishers may secure what is > > accessible through HTTP and what is not (mine does), but anyway, it's > > a good idea to distinguish between published modules and the others. > > That's disconcerting. Can you provide a sample showing how such a > variable would be exposed? Here is the test I did yesterday to check my assertion : ## index.py import mod_python, sys, time SECRET = "Hello, world !" def index(req): req.content_type='text/html' return """<html><head><title>mod_python.publisher info</title></head><body> <p>mod_python.publisher runs !</p> <p>Now: %s</p> <p>Python version : <code>%s</code></p> <p>Python path : <code>%s</code></p> <p><a href="pspinfo.psp">mode_python.psp info</a></p> </body></html>""" % (time.ctime(),sys.version,sys.path) If you call http://localhost/index.py , you get an information page. If you call http://localhost/index.py/SECRET, then you get the supposedly super secret variable, direclty displayed in your browser. ( BTW, I think we should provide a built-in test handler that would reside in the PYTHONPATH like the mod_python.* modules. This way, users would be able to test the basic mod_python installation without having problems with the mptest.py business. ) > > - I personnaly think it's a good thing for published modules not to be > > compiled into a .pyc or .pyo file. Like for the previous point, my > > concern is about security : .pyc and .pyo file should not be > > accessible through HTTP, lest you want your code be dissassembled and > > your private key exposed. A simple .htaccess directive can solve this, > > but what about the zillion people who will forget about it ? > > Ouch! I wasn't aware of this! Is this all that's necessary? > > <FilesMatch "\.(pyc|pyo)$"> > Order allow,deny > Deny from all > </FilesMatch> Yes, though I'd rather write "\.py[co]$" (it should be slightly more efficient, performance-wise). > Will that also cause the compiled versions not to be used by mod_python? No. The import mechanism of mod_python and the authorization mechanism of Apache are totally orthogonal.