[mod_python] Approach to mod_python "secure" code

fizban fizban at paranoici.org
Fri Nov 17 05:36:16 EST 2006 

Hi all,

I'm new to python and mod_python, I've just started moving away from PHP
so I apology if my questions will look dumb :)
I'm finding it easy to learn python for now, there's plenty of docs
around, and mailing lists like this one (I've been lurking for a few
days) are pretty usefull. However there are things that I'm not sure I'm
approaching in the right way, so I'd need an hand by someone more
experienced than me.

I'm in the process of converting a website to mod_python, and after some
reading I decided to opt for the "my own handler" approach. I'll have an
"index.py" (the name isn't important) using SetHandler. So my handler
will deal with all the requests for that directory.

My approach to this is the following:

1* take req.uri, str() it (just in case?) and split('/') it.
[stuff = str(req.uri).split('/')
2* take stuff[1], see if isalpha(), if so see if stuff[1] is in a tuple
(contains all the valid "sections"). if it is, we assume stuff[1] is
safe to deal with. if not, we return a custom 404.
3* if stuff[1] is valid, and it is in a tuple containing a list of
special sections with a matching function, we run that function
[eval("%s(%s)" % (section, "req"))]. some of these functions take other
arguments, like a (pre validated with similar approach) stuff[2], or
req.args (same here). otherwise we run some other routine, by parsing
and req.writing a template.
[stuff[2] or req.args are this time matched against regular expressions,
to see if they fit the arguments taken by the section functions]

Do you guys think it's a decent approach in terms of "security"? Would
you take any other validation steps? As I said I'm really new to python
and mod_python, so since the website has some huge userbase, I'm really
worried about security.. We are not using (for various reasons) sql db,
only templates and local xml basically, so sql inj. is not an issue.

Since the site re-design will force us to change all the URI, I have
setup some other function to see if str(req.uri) matches moved or
deleted pages, if so we return 410 or 301 messages. 404 give the
impression of a messed up site. Is str(req.uri) safe enough to be passed
as argument to the notfound() or moved() functions I've made?

Thanks in advance for any hint or comment you may give me!
I'm also looking for any "guide" or paper about writing "secure" code
with mod_python, I haven't been able to find any on my own, for now :)

Ciao,

Andreas

More information about the Mod_python mailing list