[mod_python] Approach to mod_python "secure" code

Graham Dumpleton grahamd at dscpl.com.au
Sat Nov 18 01:52:15 EST 2006

Given the nature of your questions and that you are new to Python,
as well as to mod_python, I would very much suggest that you not use
mod_python directly. Instead, I would recommend you go use one
of the higher level Python web frameworks such as Django and
Turbogears. So, go have a look at:


Use one of these and it will solve you a lot of hard work and you will
not have to worry unnecessarily about the sort of things you are
worrying about as other people have solved it already.


On 17/11/2006, at 9:36 PM, fizban wrote:

> Hi all,
> I'm new to python and mod_python, I've just started moving away  
> from PHP
> so I apology if my questions will look dumb :)
> I'm finding it easy to learn python for now, there's plenty of docs
> around, and mailing lists like this one (I've been lurking for a few
> days) are pretty usefull. However there are things that I'm not  
> sure I'm
> approaching in the right way, so I'd need an hand by someone more
> experienced than me.
> I'm in the process of converting a website to mod_python, and after  
> some
> reading I decided to opt for the "my own handler" approach. I'll  
> have an
> "index.py" (the name isn't important) using SetHandler. So my handler
> will deal with all the requests for that directory.
> My approach to this is the following:
> 1* take req.uri, str() it (just in case?) and split('/') it.
> [stuff = str(req.uri).split('/')
> 2* take stuff[1], see if isalpha(), if so see if stuff[1] is in a  
> tuple
> (contains all the valid "sections"). if it is, we assume stuff[1] is
> safe to deal with. if not, we return a custom 404.
> 3* if stuff[1] is valid, and it is in a tuple containing a list of
> special sections with a matching function, we run that function
> [eval("%s(%s)" % (section, "req"))]. some of these functions take  
> other
> arguments, like a (pre validated with similar approach) stuff[2], or
> req.args (same here). otherwise we run some other routine, by parsing
> and req.writing a template.
> [stuff[2] or req.args are this time matched against regular  
> expressions,
> to see if they fit the arguments taken by the section functions]
> Do you guys think it's a decent approach in terms of "security"? Would
> you take any other validation steps? As I said I'm really new to  
> python
> and mod_python, so since the website has some huge userbase, I'm  
> really
> worried about security.. We are not using (for various reasons) sql  
> db,
> only templates and local xml basically, so sql inj. is not an issue.
> Since the site re-design will force us to change all the URI, I have
> setup some other function to see if str(req.uri) matches moved or
> deleted pages, if so we return 410 or 301 messages. 404 give the
> impression of a messed up site. Is str(req.uri) safe enough to be  
> passed
> as argument to the notfound() or moved() functions I've made?
> Thanks in advance for any hint or comment you may give me!
> I'm also looking for any "guide" or paper about writing "secure" code
> with mod_python, I haven't been able to find any on my own, for now :)
> Ciao,
> Andreas
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python

More information about the Mod_python mailing list