[mod_python] Approach to mod_python "secure" code

Graham Dumpleton grahamd at dscpl.com.au
Sat Nov 18 01:52:15 EST 2006


Given the nature of your questions and that you are new to Python,
as well as to mod_python, I would very much suggest that you not use
mod_python directly. Instead, I would recommend you go use one
of the higher level Python web frameworks such as Django and
Turbogears. So, go have a look at:

   http://www.djangoproject.com/
   http://www.turbogears.org/

Use one of these and it will solve you a lot of hard work and you will
not have to worry unnecessarily about the sort of things you are
worrying about as other people have solved it already.

Graham

On 17/11/2006, at 9:36 PM, fizban wrote:

> Hi all,
>
> I'm new to python and mod_python, I've just started moving away  
> from PHP
> so I apology if my questions will look dumb :)
> I'm finding it easy to learn python for now, there's plenty of docs
> around, and mailing lists like this one (I've been lurking for a few
> days) are pretty usefull. However there are things that I'm not  
> sure I'm
> approaching in the right way, so I'd need an hand by someone more
> experienced than me.
>
> I'm in the process of converting a website to mod_python, and after  
> some
> reading I decided to opt for the "my own handler" approach. I'll  
> have an
> "index.py" (the name isn't important) using SetHandler. So my handler
> will deal with all the requests for that directory.
>
> My approach to this is the following:
>
> 1* take req.uri, str() it (just in case?) and split('/') it.
> [stuff = str(req.uri).split('/')
> 2* take stuff[1], see if isalpha(), if so see if stuff[1] is in a  
> tuple
> (contains all the valid "sections"). if it is, we assume stuff[1] is
> safe to deal with. if not, we return a custom 404.
> 3* if stuff[1] is valid, and it is in a tuple containing a list of
> special sections with a matching function, we run that function
> [eval("%s(%s)" % (section, "req"))]. some of these functions take  
> other
> arguments, like a (pre validated with similar approach) stuff[2], or
> req.args (same here). otherwise we run some other routine, by parsing
> and req.writing a template.
> [stuff[2] or req.args are this time matched against regular  
> expressions,
> to see if they fit the arguments taken by the section functions]
>
> Do you guys think it's a decent approach in terms of "security"? Would
> you take any other validation steps? As I said I'm really new to  
> python
> and mod_python, so since the website has some huge userbase, I'm  
> really
> worried about security.. We are not using (for various reasons) sql  
> db,
> only templates and local xml basically, so sql inj. is not an issue.
>
> Since the site re-design will force us to change all the URI, I have
> setup some other function to see if str(req.uri) matches moved or
> deleted pages, if so we return 410 or 301 messages. 404 give the
> impression of a messed up site. Is str(req.uri) safe enough to be  
> passed
> as argument to the notfound() or moved() functions I've made?
>
> Thanks in advance for any hint or comment you may give me!
> I'm also looking for any "guide" or paper about writing "secure" code
> with mod_python, I haven't been able to find any on my own, for now :)
>
> Ciao,
>
> Andreas
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python


More information about the Mod_python mailing list