[mod_python] restricting access to certain variablesusingmod_python.publisher

Graham Dumpleton grahamd at dscpl.com.au
Mon Mar 14 20:19:33 EST 2005


Graham Dumpleton wrote ..
> You have found a bug in mod_python.publisher. It shouldn't be visible,
> but the code which handles defaulting to "index.py" doesn't reapply the
> rule which stops access to "_" variables.
>
> ...
> The only workaround you would have in the short term is not to use
> an "index.py" file and always name it something different.
> 
> This is actually a security hole because any __auth__ stuff would
> be visible and thus people could work out login/passwd. This may
> require another security fix release of mod_python. :-(

FWIW, the vampire::publisher replacement I wrote for mod_python.publisher
doesn't suffer this problem. It wasn't intentional that I fixed it, but because
of how I completely turned around how a lot of the checks and things are
done, it just so happened to eliminate the bug.

Thus, for those who want to come to the dark side and use my alternative
to mod_python.publisher, that would also be a solution to avoiding this
problem. :-)

Graham


More information about the Mod_python mailing list