|
If you were logged in you would be able to see more operations.
|
|
|
| Resolution Date: |
02/Sep/05 06:40 PM
|
If index.py is used with mod_python.publisher, all underscore prefixed
variables are actually visible and not hidden as they should. This could
result in exposure of login/passwd information stored in __auth__ as a
dictionary, plus any other private data in underscore prefixed variables.
See following exchange from mailing list. This may require a security
fix release.
You have found a bug in mod_python.publisher. It shouldn't be visible,
but the code which handles defaulting to "index.py" doesn't reapply the
rule which stops access to "_" variables.
Ie., early in code in publisher.py, it has a check:
# if any part of the path begins with "_", abort
if func_path[0] == '_' or func_path.count("._"):
raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
After that point though it has:
try:
module = apache.import_module(module_name,
autoreload=autoreload,
log=log,
path=[path])
except ImportError:
et, ev, etb = sys.exc_info()
# try again, using default module, perhaps this is a
# /directory/function (as opposed to /directory/module/function)
func_path = module_name
module_name = "index"
try:
module = apache.import_module(module_name,
autoreload=autoreload,
log=log,
path=[path])
except ImportError:
# raise the original exception
raise et, ev, etb
Note how it resets the value of func_path. After that the code goes on
to reolve the object, but the new func_path has skipped the check.
I believe the fix would be for the "_" check to be after the import and
not before.
The only workaround you would have in the short term is not to use
an "index.py" file and always name it something different.
This is actually a security hole because any __auth__ stuff would
be visible and thus people could work out login/passwd. This may
require another security fix release of mod_python. :-(
Graham
Jan Huelsbergen wrote ..
> Hi,
>
> The mod_python.publisher documentation states at
> http://modpython.org/live/current/doc-html/hand-pub-alg-trav.html that
> if
> "Any of the traversed object's names begin with an underscore ("_")."
> they are not accsessable through the web, yet, when I put a
> _foo = 'bar'
> in my index.py, http://my.site/_foo returns 'bar'.
>
> Am I missinterpreting the documentation?
> How to protect a variable from outside access?
>
> TIA
|
|
Description
|
If index.py is used with mod_python.publisher, all underscore prefixed
variables are actually visible and not hidden as they should. This could
result in exposure of login/passwd information stored in __auth__ as a
dictionary, plus any other private data in underscore prefixed variables.
See following exchange from mailing list. This may require a security
fix release.
You have found a bug in mod_python.publisher. It shouldn't be visible,
but the code which handles defaulting to "index.py" doesn't reapply the
rule which stops access to "_" variables.
Ie., early in code in publisher.py, it has a check:
# if any part of the path begins with "_", abort
if func_path[0] == '_' or func_path.count("._"):
raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
After that point though it has:
try:
module = apache.import_module(module_name,
autoreload=autoreload,
log=log,
path=[path])
except ImportError:
et, ev, etb = sys.exc_info()
# try again, using default module, perhaps this is a
# /directory/function (as opposed to /directory/module/function)
func_path = module_name
module_name = "index"
try:
module = apache.import_module(module_name,
autoreload=autoreload,
log=log,
path=[path])
except ImportError:
# raise the original exception
raise et, ev, etb
Note how it resets the value of func_path. After that the code goes on
to reolve the object, but the new func_path has skipped the check.
I believe the fix would be for the "_" check to be after the import and
not before.
The only workaround you would have in the short term is not to use
an "index.py" file and always name it something different.
This is actually a security hole because any __auth__ stuff would
be visible and thus people could work out login/passwd. This may
require another security fix release of mod_python. :-(
Graham
Jan Huelsbergen wrote ..
> Hi,
>
> The mod_python.publisher documentation states at
> http://modpython.org/live/current/doc-html/hand-pub-alg-trav.html that
> if
> "Any of the traversed object's names begin with an underscore ("_")."
> they are not accsessable through the web, yet, when I put a
> _foo = 'bar'
> in my index.py, http://my.site/_foo returns 'bar'.
>
> Am I missinterpreting the documentation?
> How to protect a variable from outside access?
>
> TIA |
Show » |
made changes - 10/Aug/05 09:54 PM
| Field |
Original Value |
New Value |
|
Fix Version/s
|
|
3.2.0
[ 11060
]
|
|
Environment
|
|
|
|
Description
|
If index.py is used with mod_python.publisher, all underscore prefixed
variables are actually visible and not hidden as they should. This could
result in exposure of login/passwd information stored in __auth__ as a
dictionary, plus any other private data in underscore prefixed variables.
See following exchange from mailing list. This may require a security
fix release.
You have found a bug in mod_python.publisher. It shouldn't be visible,
but the code which handles defaulting to "index.py" doesn't reapply the
rule which stops access to "_" variables.
Ie., early in code in publisher.py, it has a check:
# if any part of the path begins with "_", abort
if func_path[0] == '_' or func_path.count("._"):
raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
After that point though it has:
try:
module = apache.import_module(module_name,
autoreload=autoreload,
log=log,
path=[path])
except ImportError:
et, ev, etb = sys.exc_info()
# try again, using default module, perhaps this is a
# /directory/function (as opposed to /directory/module/function)
func_path = module_name
module_name = "index"
try:
module = apache.import_module(module_name,
autoreload=autoreload,
log=log,
path=[path])
except ImportError:
# raise the original exception
raise et, ev, etb
Note how it resets the value of func_path. After that the code goes on
to reolve the object, but the new func_path has skipped the check.
I believe the fix would be for the "_" check to be after the import and
not before.
The only workaround you would have in the short term is not to use
an "index.py" file and always name it something different.
This is actually a security hole because any __auth__ stuff would
be visible and thus people could work out login/passwd. This may
require another security fix release of mod_python. :-(
Graham
Jan Huelsbergen wrote ..
> Hi,
>
> The mod_python.publisher documentation states at
> http://modpython.org/live/current/doc-html/hand-pub-alg-trav.html that
> if
> "Any of the traversed object's names begin with an underscore ("_")."
> they are not accsessable through the web, yet, when I put a
> _foo = 'bar'
> in my index.py, http://my.site/_foo returns 'bar'.
>
> Am I missinterpreting the documentation?
> How to protect a variable from outside access?
>
> TIA
|
If index.py is used with mod_python.publisher, all underscore prefixed
variables are actually visible and not hidden as they should. This could
result in exposure of login/passwd information stored in __auth__ as a
dictionary, plus any other private data in underscore prefixed variables.
See following exchange from mailing list. This may require a security
fix release.
You have found a bug in mod_python.publisher. It shouldn't be visible,
but the code which handles defaulting to "index.py" doesn't reapply the
rule which stops access to "_" variables.
Ie., early in code in publisher.py, it has a check:
# if any part of the path begins with "_", abort
if func_path[0] == '_' or func_path.count("._"):
raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
After that point though it has:
try:
module = apache.import_module(module_name,
autoreload=autoreload,
log=log,
path=[path])
except ImportError:
et, ev, etb = sys.exc_info()
# try again, using default module, perhaps this is a
# /directory/function (as opposed to /directory/module/function)
func_path = module_name
module_name = "index"
try:
module = apache.import_module(module_name,
autoreload=autoreload,
log=log,
path=[path])
except ImportError:
# raise the original exception
raise et, ev, etb
Note how it resets the value of func_path. After that the code goes on
to reolve the object, but the new func_path has skipped the check.
I believe the fix would be for the "_" check to be after the import and
not before.
The only workaround you would have in the short term is not to use
an "index.py" file and always name it something different.
This is actually a security hole because any __auth__ stuff would
be visible and thus people could work out login/passwd. This may
require another security fix release of mod_python. :-(
Graham
Jan Huelsbergen wrote ..
> Hi,
>
> The mod_python.publisher documentation states at
> http://modpython.org/live/current/doc-html/hand-pub-alg-trav.html that
> if
> "Any of the traversed object's names begin with an underscore ("_")."
> they are not accsessable through the web, yet, when I put a
> _foo = 'bar'
> in my index.py, http://my.site/_foo returns 'bar'.
>
> Am I missinterpreting the documentation?
> How to protect a variable from outside access?
>
> TIA
|
made changes - 02/Sep/05 06:40 PM
|
Resolution
|
|
Fixed
[ 1
]
|
|
Status
|
Open
[ 1
]
|
Resolved
[ 5
]
|
|
Assignee
|
|
Nicolas Lehuen
[ nlehuen
]
|
made changes - 05/Mar/06 01:45 PM
|
Status
|
Resolved
[ 5
]
|
Closed
[ 6
]
|
|
Bug
Closed
Critical
mod_python.publisher index.py exposes underscore prefixed variables
