quetz-mod_python-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nicolas Lehuen (JIRA)" <j...@apache.org>
Subject [jira] Commented: (MODPYTHON-34) mod_python.publisher index.py exposes underscore prefixed variables
Date Wed, 27 Apr 2005 07:53:23 GMT
     [ http://issues.apache.org/jira/browse/MODPYTHON-34?page=comments#action_63885 ]
     
Nicolas Lehuen commented on MODPYTHON-34:
-----------------------------------------

This is not a security hole, as resolve_object re-checks for underscore. It would make more
sense to put the check for underscore after the import, but as it is totally redundant, so
we might as well remove it. What do you think ?

> mod_python.publisher index.py exposes underscore prefixed variables
> -------------------------------------------------------------------
>
>          Key: MODPYTHON-34
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-34
>      Project: mod_python
>         Type: Bug
>   Components: publisher
>     Versions: 3.1.4
>     Reporter: Graham Dumpleton
>     Priority: Critical

>
> If index.py is used with mod_python.publisher, all underscore prefixed
> variables are actually visible and not hidden as they should. This could
> result in exposure of login/passwd information stored in __auth__ as a
> dictionary, plus any other private data in underscore prefixed variables.
> See following exchange from mailing list. This may require a security
> fix release.
> You have found a bug in mod_python.publisher. It shouldn't be visible,
> but the code which handles defaulting to "index.py" doesn't reapply the
> rule which stops access to "_" variables.
> Ie., early in code in publisher.py, it has a check:
>     # if any part of the path begins with "_", abort
>     if func_path[0] == '_' or func_path.count("._"):
>         raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
> After that point though it has:
>     try:
>         module = apache.import_module(module_name, 
>                                       autoreload=autoreload,
>                                       log=log,
>                                       path=[path])
>     except ImportError:
>         et, ev, etb = sys.exc_info()
>         # try again, using default module, perhaps this is a 
>         # /directory/function (as opposed to /directory/module/function)
>         func_path = module_name
>         module_name = "index"
>         try:
>             module = apache.import_module(module_name, 
>                                           autoreload=autoreload,
>                                           log=log,
>                                           path=[path])
>         except ImportError:
>             # raise the original exception
>             raise et, ev, etb
> Note how it resets the value of func_path. After that the code goes on
> to reolve the object, but the new func_path has skipped the check.
> I believe the fix would be for the "_" check to be after the import and
> not before.
> The only workaround you would have in the short term is not to use
> an "index.py" file and always name it something different.
> This is actually a security hole because any __auth__ stuff would
> be visible and thus people could work out login/passwd. This may
> require another security fix release of mod_python. :-(
> Graham
> Jan Huelsbergen wrote ..
> > Hi,
> > 
> > The mod_python.publisher documentation states at
> > http://modpython.org/live/current/doc-html/hand-pub-alg-trav.html that
> > if
> > "Any of the traversed object's names begin with an underscore ("_")." 
> > they are not accsessable through the web, yet, when I put a 
> > _foo = 'bar'
> > in my index.py, http://my.site/_foo returns 'bar'. 
> > 
> > Am I missinterpreting the documentation? 
> > How to protect a variable from outside access?
> > 
> > TIA

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message