[mod_python] Getting Hostname

Lee Brown administrator at leebrown.org
Thu Nov 16 09:25:28 EST 2006 

Greetings!

One way to avoid attacks of all kinds is to use Mod Security, which checks
the entire request against a security rule set.  Rule sets are defined
within the main Apache configuration file and look like this (highly
abbreviated) example:

SecFilter "\.\./" "deny,log,status:666"
SecFilterSelective REQUEST_METHOD "SEARCH" "deny,log,status:405"
SecFilterSelective REQUEST_URI "\.exe"  "deny,log,status:666"

The first rule shown protects against symbolic directory traversal for any
kind of request.  If ".." is found, the rule causes Apache to deny access,
log the request, and return an HTTPD status code of 666.  The second rule
denies any request with HTTPD method "search."  The last rule denies any
request with ".exe" in the URI.  You can write a rule for any HTTPD header
field or URI form, and define the action to take and what status code to
return.

I'm not sure about this, but I think that Mod Security works in Apache's
PostReadRequest phase, so it (probably) won't interfere with a Mod Python
Translation phase handler.  Mod Security is exhaustively documented and they
are very responsive to e-mail queries.

I can't say enough good things about Mod Security.  See www.modsecurity.org

Best Regards,
Lee E. Brown
(administrator at leebrown.org)

-----Original Message-----
From: mod_python-bounces at modpython.org
[mailto:mod_python-bounces at modpython.org] On Behalf Of Graham Dumpleton
Sent: Wednesday, November 15, 2006 4:12 PM
To: g.farina at pharaondev.com
Cc: mod_python at modpython.org
Subject: Re: [mod_python] Getting Hostname

NOTE, the above code may have to cleanup req.uri and normalise it before it
uses it to avoid attacks whereby people use '..' in a URI to try and get
access to files outside of the document tree. It might also normalise the
path after creating the combined path and ensuring the result still resides
within the document tree. If Apache has cleaned up req.uri already, this
will not be needed. I need to check for myself what Apache has already done
at that point as not sure.

More information about the Mod_python mailing list