Graham Dumpleton
grahamd at dscpl.com.au
Mon Mar 14 20:19:33 EST 2005
Graham Dumpleton wrote .. > You have found a bug in mod_python.publisher. It shouldn't be visible, > but the code which handles defaulting to "index.py" doesn't reapply the > rule which stops access to "_" variables. > > ... > The only workaround you would have in the short term is not to use > an "index.py" file and always name it something different. > > This is actually a security hole because any __auth__ stuff would > be visible and thus people could work out login/passwd. This may > require another security fix release of mod_python. :-( FWIW, the vampire::publisher replacement I wrote for mod_python.publisher doesn't suffer this problem. It wasn't intentional that I fixed it, but because of how I completely turned around how a lot of the checks and things are done, it just so happened to eliminate the bug. Thus, for those who want to come to the dark side and use my alternative to mod_python.publisher, that would also be a solution to avoiding this problem. :-) Graham
|