[ http://issues.apache.org/jira/browse/MODPYTHON-34?page=all ] Graham Dumpleton closed MODPYTHON-34: -------------------------------------
> mod_python.publisher index.py exposes underscore prefixed variables > ------------------------------------------------------------------- > > Key: MODPYTHON-34 > URL: http://issues.apache.org/jira/browse/MODPYTHON-34 > Project: mod_python > Type: Bug > Components: publisher > Versions: 3.1.4 > Reporter: Graham Dumpleton > Assignee: Nicolas Lehuen > Priority: Critical > Fix For: 3.2.7 > > If index.py is used with mod_python.publisher, all underscore prefixed > variables are actually visible and not hidden as they should. This could > result in exposure of login/passwd information stored in __auth__ as a > dictionary, plus any other private data in underscore prefixed variables. > See following exchange from mailing list. This may require a security > fix release. > You have found a bug in mod_python.publisher. It shouldn't be visible, > but the code which handles defaulting to "index.py" doesn't reapply the > rule which stops access to "_" variables. > Ie., early in code in publisher.py, it has a check: > # if any part of the path begins with "_", abort > if func_path[0] == '_' or func_path.count("._"): > raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND > After that point though it has: > try: > module = apache.import_module(module_name, > autoreload=autoreload, > log=log, > path=[path]) > except ImportError: > et, ev, etb = sys.exc_info() > # try again, using default module, perhaps this is a > # /directory/function (as opposed to /directory/module/function) > func_path = module_name > module_name = "index" > try: > module = apache.import_module(module_name, > autoreload=autoreload, > log=log, > path=[path]) > except ImportError: > # raise the original exception > raise et, ev, etb > Note how it resets the value of func_path. After that the code goes on > to reolve the object, but the new func_path has skipped the check. > I believe the fix would be for the "_" check to be after the import and > not before. > The only workaround you would have in the short term is not to use > an "index.py" file and always name it something different. > This is actually a security hole because any __auth__ stuff would > be visible and thus people could work out login/passwd. This may > require another security fix release of mod_python. :-( > Graham > Jan Huelsbergen wrote .. > > Hi, > > > > The mod_python.publisher documentation states at > > http://modpython.org/live/current/doc-html/hand-pub-alg-trav.html that > > if > > "Any of the traversed object's names begin with an underscore ("_")." > > they are not accsessable through the web, yet, when I put a > > _foo = 'bar' > > in my index.py, http://my.site/_foo returns 'bar'. > > > > Am I missinterpreting the documentation? > > How to protect a variable from outside access? > > > > TIA -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira