Securing PyDoc and CGIHTTPserver
Harry George
harry.g.george at boeing.com
Thu Jul 10 10:45:57 EDT 2003
schull at digitalgoods.com (Jon Schull) writes:
> PyDoc's author Ka-Ping Yee has suggested that PyDoc be patched to
> prevent access from unauthorized IP addresses
> (https://sourceforge.net/tracker/?func=detail&atid=305470&aid=672656&group_id=5470),
> and that without such a patch, its not " suitable for running on boxes
> that aren't behind firewalls"
>
> It's hard to know how much to worry about such things (Comments?).
>
> However, even with the patch, IP addresses can be spoofed. Here is an
> additional security tactic that might be adopted.
>
> The port number used by pydoc is currently set by the user at the
> command line. Many people probably use the example given in the
> python module documentation : "python -p 1234" However, if the port
> were chosen at random and printed out, then only pydoc and the user
> would know how to access the pydoc server.
>
> I'm considering a similar strategy for a server based on the
> CGIHTTPServer module, so comments would be welcome.
"Security through Obscurity" (e.g., random ports) is not the way to
go. Instead, use SSL. This can be done through a CGI on Apache
through an SSL'd port, or it can be done with stunnel. [Or it might
even be done with raw python using pyOpenSSL or M2Crypto (which I
haven't done, so I can't tell you anything that direction).]
--
harry.g.george at boeing.com
6-6M31 Knowledge Management
Phone: (425) 294-8757
More information about the Python-list
mailing list