2009/7/1 Valery Khamenya <[email protected]>: > wow, Graham, that was a great answer and my questions are fully answered. > it all was totally comprehensive for me except of this trailing part of item > 5: > "... Do note though that byte > coming the WSGI script file, even if it has a .py extension, shouldn't > be done. This is because it isn't used and the .pyc file if in normal > Apache document directory then might be downloadable as a static file."
This is in part explained in: http://code.google.com/p/modwsgi/wiki/ReloadingSourceCode What is is alluding to is the fact that the WSGI script file is not imported using the C library equivalent of 'import' or '__import__'. Instead lower level functions are used which still results in a module being produced, but their is no side effect of creating a .pyc or .pyo file like with 'import' and '__import__'. Things are done this way for two reasons. The first is that 'import' and '__import__' require the name of the code file to be unique and that isn't going to happen for WSGI script files as resources in an Apache document directory hierarchy. For example, you might have index.py in multiple directories. As such, a module name is automatically fabricated based on the absolute path name of the code file instead. This allows same file name to be used in multiple directories without there being a clash. Just remember this only applies to WSGI script files used as entry points by mod_wsgi. All existing Python imports are as normal. The second reason for doing it this way is so as specifically not to generate a .pyc/.pyo type file. This is so the Apache document directories aren't polluted with the files if Apache user does have write access. If it was done and AddHandler was used to map the code file, with other files in the directory still being served as static files, then those .pyc/.pyo files would normally be downloadable if specific Apache configuration wasn't put in place to stop it. Although byte code, they could be decompiled and someone could work out what your code does. This is also the reason that Python module search path isn't updated to automatically include the directory the WSGI script file is in. Doing that would more easily allow people to stick other Python code files in document directories, perhaps accidentally exposing the code file or .pyc/.pyo files to download. So, the WSGI script files should usually have as little as possible in them and act merely as a bridge for mapping to actual application code located well away from Apache document directories. You should never stick application code under mapped Apache document directories. It is a mistake one often sees people do, even though it is a security risk to do so and they could be opening themselves up to having their application code downloaded. Graham > many thanks! > best regards > -- > Valery A.Khamenya > > > On Wed, Jul 1, 2009 at 3:33 AM, Graham Dumpleton > <[email protected]> wrote: >> >> Do note though that byte >> coming the WSGI script file, even if it has a .py extension, shouldn't >> be done. This is because it isn't used and the .pyc file if in normal >> Apache document directory then might be downloadable as a static file. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~----------~----~----~----~------~----~------~--~---
