[mod_python] Mod_python Security

Deron Meranda deron.meranda at gmail.com
Thu Mar 2 16:28:06 EST 2006 

On 3/2/06, Nicolas Lehuen <nicolas at lehuen.com> wrote:
> For example :
>
> # index.py
> # BAD !
> secret_password = "foobar"

Or even better yet, if your code must know about secret passwords
(which is common for opening database connections, etc.), use
something like,

   # index.py
   _secret_password = open('.secret','r').read().strip()

and then store the password itself in the file ".secret".

The leading dot in the filename will insure that Apache won't serve
that file up with the default apache config.  [Somebody correct me
if this is different for Windows].

The leading underscore in the variable name will help hide it from
debug output, stack traces, pydocs, etc.

Anyway this still isn't perfect, but its a whole lot better than embedding
any passwords directly in the source code.  You should never do that.
--
Deron Meranda

More information about the Mod_python mailing list