[mod_python] Mod_python Security

Nicolas Lehuen nicolas at lehuen.com
Thu Mar 2 08:54:55 EST 2006 

There's an important rule :

If you use the publisher, everything which is defined in a published
module is generally accessible from the web, except if its name begins
with an underscore.

For example :

# index.py
# BAD !
secret_password = "foobar"

def index(req,password):
    if password != secret_password:
        return util.redirect(req,'/rejected.html')
    else:
        return "Welcome !"

Your secret password in accessible through
http://my_server/my_folder/index.py/secret_password

To make sure it won't be accessed, rename secret_password to _secret_password.

There are exceptions to this "everything is accessible" rule, namely
imported modules, new-styles classes and built-in functions cannot be
traversed nor published. This prevents basic leaks like being able to
call sys.exit() from any published module that imports sys. Those
rules are specified in the lib/python/mod_python/publisher.py file, if
you are curious.

But in any case, be aware that any string defined in a published
module is accessible unless its name is prefixed by an underscore,
which includes your precious database password.

Regards,
Nicolas

2006/3/2, Mike Looijmans <nlv11281 at natlab.research.philips.com>:
> As with any server-side scripting, there's:
>
> - Cross-site scripting
> - Code injection
> - SQL injection
>
> But that's typically 'your' fault...
>
> Mike Looijmans
> Philips Natlab / Topic Automation
>
>
> marinus van aswegen wrote:
> > Hi
> >
> > I'd like to publish my page but I'm not sure what security issues
> > mod_python typically face.
> > Any recommendations?
> >
> >
> > Regards
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Mod_python mailing list
> > Mod_python at modpython.org
> > http://mailman.modpython.org/mailman/listinfo/mod_python
>
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
>

More information about the Mod_python mailing list