[mod_python] python program versus handler

Greg Fawcett greg at vig.co.nz
Tue May 22 18:25:16 EDT 2007

Hi David -

Before I start, I'm fairly new to mod_python, so my approach may not be
ideal - hopefully the wiser heads on this list can correct anything

I decided not to go with publisher, because it seemed to include a lot of
functionality I didn't need, and I had this strange compulsion to use URLs
like "message.view", where message is a module and view is a function within
the module. This has worked out quite nicely, with "user.addform" displaying
the form to add a user, "user.add" processing the add form fields, and
you'll guess what "user.delete" does. This allows me to keep all my code
relating to users in one module, which seems a good idea.

My handler is extremely simple - only 70 lines long, including comments. It
grabs the session information, initialises database connection, parses
req.uri to find the moduleName and actionName, and then...

    except ImportError: # Only catch ImportError so syntax errors show
        apache.log_error('vfax.py could not find module
        return apache.HTTP_NOT_FOUND

        apache.log_error('vfax.py could not find action "%s"'%(actionName))
        return apache.HTTP_NOT_FOUND


If someone tries to hack in via non-existant module names or functions, they
get a 404. One issue I found is that you have to take care with private
functions which should not be callable from outside the module - perhaps you
have a function formatDate() say, used by public functions in the user
module. This should not be available via the URL "user.formatDate", or else
you are leaving yourself open to myriad security issues. I tried starting
their names with two underscores (so it became __formatDate(), but
"user.__formatDate" still worked. So I added a test in my handler for two
leading underscores and 404'd them too:

        if actionName[0:2]=='__':
            apache.log_error('vfax.py refused action "%s"'%(actionName))
            return apache.HTTP_NOT_FOUND

I'd be interested in those wiser head's comments on this - shouldn't a
function with two leading underscores not be callable from outside the

Anyhow, the main point of this message is that writing your own handler is
not a big deal, as long as you are happy to manage issues like sessions and
URL parsing yourself. Publisher is probably a better idea for newcomers to
web development because it already handles many of the gotchas that may
leave your application vulnerable to the net nasties, but if you have some
experience, you have a lot more control and a faster application by writing
your own handler.


On 23/05/07, David Bear <David.Bear at asu.edu> wrote:
> I'm trying to decide whether to use publisher or just use
> AddHandler python-program
> I understand with publisher that all defined functions are callable in
> the url. What happens though if I just use python-program as the
> handler? Which functions are called? What happens the __name__?
> --
> David Bear
> phone:  602-496-0424
> fax:    602-496-0955
> College of Public Programs/ASU
> University Center Rm 622
> 411 N Central
> Phoenix, AZ 85007-0685
> "Beware the IP portfolio, everyone will be suspect of trespassing"
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python

Phone: +64 3 409 8165
Mobile: +64 21 333 291
Fax: +64 3 974 6810
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20070523/900e1017/attachment-0001.html

More information about the Mod_python mailing list