You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mod_python-dev@quetz.apache.org by "Nicolas Lehuen (JIRA)" <ji...@apache.org> on 2005/09/02 11:43:12 UTC
[jira] Resolved: (MODPYTHON-34) mod_python.publisher index.py exposes underscore prefixed variables
[ http://issues.apache.org/jira/browse/MODPYTHON-34?page=all ]
Nicolas Lehuen resolved MODPYTHON-34:
-------------------------------------
Resolution: Fixed
Assign To: Nicolas Lehuen
OK this definitively has been fixed in 3.2.0 beta.
> mod_python.publisher index.py exposes underscore prefixed variables
> -------------------------------------------------------------------
>
> Key: MODPYTHON-34
> URL: http://issues.apache.org/jira/browse/MODPYTHON-34
> Project: mod_python
> Type: Bug
> Components: publisher
> Versions: 3.1.4
> Reporter: Graham Dumpleton
> Assignee: Nicolas Lehuen
> Priority: Critical
> Fix For: 3.2.0
>
> If index.py is used with mod_python.publisher, all underscore prefixed
> variables are actually visible and not hidden as they should. This could
> result in exposure of login/passwd information stored in __auth__ as a
> dictionary, plus any other private data in underscore prefixed variables.
> See following exchange from mailing list. This may require a security
> fix release.
> You have found a bug in mod_python.publisher. It shouldn't be visible,
> but the code which handles defaulting to "index.py" doesn't reapply the
> rule which stops access to "_" variables.
> Ie., early in code in publisher.py, it has a check:
> # if any part of the path begins with "_", abort
> if func_path[0] == '_' or func_path.count("._"):
> raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
> After that point though it has:
> try:
> module = apache.import_module(module_name,
> autoreload=autoreload,
> log=log,
> path=[path])
> except ImportError:
> et, ev, etb = sys.exc_info()
> # try again, using default module, perhaps this is a
> # /directory/function (as opposed to /directory/module/function)
> func_path = module_name
> module_name = "index"
> try:
> module = apache.import_module(module_name,
> autoreload=autoreload,
> log=log,
> path=[path])
> except ImportError:
> # raise the original exception
> raise et, ev, etb
> Note how it resets the value of func_path. After that the code goes on
> to reolve the object, but the new func_path has skipped the check.
> I believe the fix would be for the "_" check to be after the import and
> not before.
> The only workaround you would have in the short term is not to use
> an "index.py" file and always name it something different.
> This is actually a security hole because any __auth__ stuff would
> be visible and thus people could work out login/passwd. This may
> require another security fix release of mod_python. :-(
> Graham
> Jan Huelsbergen wrote ..
> > Hi,
> >
> > The mod_python.publisher documentation states at
> > http://modpython.org/live/current/doc-html/hand-pub-alg-trav.html that
> > if
> > "Any of the traversed object's names begin with an underscore ("_")."
> > they are not accsessable through the web, yet, when I put a
> > _foo = 'bar'
> > in my index.py, http://my.site/_foo returns 'bar'.
> >
> > Am I missinterpreting the documentation?
> > How to protect a variable from outside access?
> >
> > TIA
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira