[mod_python] Mod_python Security

Graham Dumpleton grahamd at dscpl.com.au
Thu Mar 2 16:41:11 EST 2006

Deron Meranda wrote ..
> On 3/2/06, Nicolas Lehuen <nicolas at lehuen.com> wrote:
> > For example :
> >
> > # index.py
> > # BAD !
> > secret_password = "foobar"
> Or even better yet, if your code must know about secret passwords
> (which is common for opening database connections, etc.), use
> something like,
>    # index.py
>    _secret_password = open('.secret','r').read().strip()
> and then store the password itself in the file ".secret".
> The leading dot in the filename will insure that Apache won't serve
> that file up with the default apache config.  [Somebody correct me
> if this is different for Windows].

Stand corrected then. Using a leading dot doesn't protect it on
UNIX like systems. The only safe way is to not put it in the directory
in the first place.

BTW, that code wouldn't work anyway, as you use a relative path
but working directory will not actually be that directory so it will
not find it.


More information about the Mod_python mailing list