[mod_python] Re: mod_python.publisher and Cheetah

Graham Dumpleton grahamd at dscpl.com.au
Tue Mar 15 16:03:29 EST 2005


On 15/03/2005, at 10:28 PM, Stephane Bortzmeyer wrote:

> On Mon, Mar 14, 2005 at 06:25:50PM -0500,
>  Graham Dumpleton <grahamd at dscpl.com.au> wrote
>>   target = req.filename + ".py"
>>
>>   if not os.path.exists(target):
>>     return apache.DECLINED
>
> I changed it (personal preference and I have only Python content) to:
>
>   if req.filename[:-3] != ".py":
>      target = req.filename + ".py"
>   else:
>      target = req.filename
>
>   if not os.path.exists(target):
>     raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND

I would strongly recommend against changing apache.DECLINED to
apache.HTTP_NOT_FOUND, it is there for a very specific reason.

By using apache.DECLINED, it is possible to put other types of
files such as images, plain text etc into the same directory
and Apache will serve them up without you having to go to
contortions in the Apache configuration to have it only use
mod_python for ".py" or some other extension. It is also not
really good practice to use ".py" extension in a URL anyway as
that is then exposing to a user of your web site what you are
using to implement the web site. This can open up security
issues in as much as they have a better idea of what potential
security holes to probe. Using ".py" extension also makes it
harder to change internally how pages are implemented to some
other Python based toolkit as you are more likely to have to
change the URL, thus invalidating bookmarks, search engine
databases etc. Thus, you are better off using REST style of no
extension, or use ".html" if it truly is HTML content.

For example, to use ".html" extension you might to the extent
of having:

   # Only interpret ".html" requests.

   target,extn = os.path.splitext(req.filename)

   if extn != ".html":
     return apache.DECLINED

   # We only want to treat request as being a possible
   # request for a Cheetah generated template file if
   # there exists both a ".tmpl" and ".py" file.

   target_tmpl = target + ".tmpl"
   target_py = target + ".py"

   if not os.path.exists(target_tmpl) and not os.path.exists(target_py):
     return apache.DECLINED

This will allow ".html" requests for virtual pages generated from
Cheetah templates, presuming ".tmpl" is in same directory, or a
static ".html" constructed by hand residing in the same directory.
The latter will work because DECLINED is returned, which gives Apache
a second chance at it, instead of HTTP_NOT_FOUND, which gives it no
chance.

Graham



More information about the Mod_python mailing list