quetz-mod_python-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Graham Dumpleton (JIRA)" <j...@apache.org>
Subject [jira] Closed: (MODPYTHON-34) mod_python.publisher index.py exposes underscore prefixed variables
Date Sun, 05 Mar 2006 04:46:40 GMT
     [ http://issues.apache.org/jira/browse/MODPYTHON-34?page=all ]
     
Graham Dumpleton closed MODPYTHON-34:
-------------------------------------


> mod_python.publisher index.py exposes underscore prefixed variables
> -------------------------------------------------------------------
>
>          Key: MODPYTHON-34
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-34
>      Project: mod_python
>         Type: Bug
>   Components: publisher
>     Versions: 3.1.4
>     Reporter: Graham Dumpleton
>     Assignee: Nicolas Lehuen
>     Priority: Critical
>      Fix For: 3.2.7

>
> If index.py is used with mod_python.publisher, all underscore prefixed
> variables are actually visible and not hidden as they should. This could
> result in exposure of login/passwd information stored in __auth__ as a
> dictionary, plus any other private data in underscore prefixed variables.
> See following exchange from mailing list. This may require a security
> fix release.
> You have found a bug in mod_python.publisher. It shouldn't be visible,
> but the code which handles defaulting to "index.py" doesn't reapply the
> rule which stops access to "_" variables.
> Ie., early in code in publisher.py, it has a check:
>     # if any part of the path begins with "_", abort
>     if func_path[0] == '_' or func_path.count("._"):
>         raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
> After that point though it has:
>     try:
>         module = apache.import_module(module_name, 
>                                       autoreload=autoreload,
>                                       log=log,
>                                       path=[path])
>     except ImportError:
>         et, ev, etb = sys.exc_info()
>         # try again, using default module, perhaps this is a 
>         # /directory/function (as opposed to /directory/module/function)
>         func_path = module_name
>         module_name = "index"
>         try:
>             module = apache.import_module(module_name, 
>                                           autoreload=autoreload,
>                                           log=log,
>                                           path=[path])
>         except ImportError:
>             # raise the original exception
>             raise et, ev, etb
> Note how it resets the value of func_path. After that the code goes on
> to reolve the object, but the new func_path has skipped the check.
> I believe the fix would be for the "_" check to be after the import and
> not before.
> The only workaround you would have in the short term is not to use
> an "index.py" file and always name it something different.
> This is actually a security hole because any __auth__ stuff would
> be visible and thus people could work out login/passwd. This may
> require another security fix release of mod_python. :-(
> Graham
> Jan Huelsbergen wrote ..
> > Hi,
> > 
> > The mod_python.publisher documentation states at
> > http://modpython.org/live/current/doc-html/hand-pub-alg-trav.html that
> > if
> > "Any of the traversed object's names begin with an underscore ("_")." 
> > they are not accsessable through the web, yet, when I put a 
> > _foo = 'bar'
> > in my index.py, http://my.site/_foo returns 'bar'. 
> > 
> > Am I missinterpreting the documentation? 
> > How to protect a variable from outside access?
> > 
> > TIA

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message