|
Deron Meranda
deron.meranda at gmail.com
Thu Mar 2 18:16:07 EST 2006
On 3/2/06, Graham Dumpleton <grahamd at dscpl.com.au> wrote: > Deron Meranda wrote .. > > # index.py > > _secret_password = open('.secret','r').read().strip() > > Stand corrected then. Using a leading dot doesn't protect it on > UNIX like systems. You're right, I typed too fast. The standard Apache configs protect files starting with ".ht", not just ".". (there's a <FilesMatch> in httpd.conf to catch these). So you could use ".htsecret" perhaps. > The only safe way is to not put it in the directory in the first place. Yes, that's safer still. But the .ht* prefix is pretty safe too, it's a matter of convienience (especially if you're under an SELinux environment and you don't want to/know how to set MAC labels). > BTW, that code wouldn't work anyway, as you use a relative path > but working directory will not actually be that directory so it will > not find it. Yep, again I just typed my example too quick without paying attention to the details. Thanks for keeping me honest. Bottom line though is to never put the password in any code; keep it someplace else and read it in dynamically at module load time. -- Deron Meranda
|