[mod_python] restricting access to certainvariablesusingmod_python.publisher

Graham Dumpleton grahamd at dscpl.com.au
Mon Mar 14 21:51:02 EST 2005

Jorey Bump wrote ..
> It might sound like a lot of work, but with good planning it can set a
> solid foundation for future projects, thus saving a *lot* of time in the
> long run. By using this approach, along with dotted notation imports, 
> explicit restriction of *from imported objects with __all__, and 
> enclosing almost everything in functions, I haven't been affected by any
> of the recent security issues, including this one. 

I would be intrigued to know how you think you weren't affected at all
by the object traversal bug which was fixed in 3.1.4 if you were using
publisher. If you were exporting any function, or method of an object
you would have potentially been affected even if your code was stored
outside of the document tree.

Are you still running 3.1.3 on your web site? If you are, care to tell me
some URLs of exported methods in your web application so I can see what
I can find. Your most private data may not have been exposed if you
were indeed careful, but other internal data could still have been
which should not have.

More information about the Mod_python mailing list