Securing PyDoc and CGIHTTPserver
Jon Schull
schull at digitalgoods.com
Thu Jul 10 09:35:41 EDT 2003
PyDoc's author Ka-Ping Yee has suggested that PyDoc be patched to
prevent access from unauthorized IP addresses
(https://sourceforge.net/tracker/?func=detail&atid=305470&aid=672656&group_id=5470),
and that without such a patch, its not " suitable for running on boxes
that aren't behind firewalls"
It's hard to know how much to worry about such things (Comments?).
However, even with the patch, IP addresses can be spoofed. Here is an
additional security tactic that might be adopted.
The port number used by pydoc is currently set by the user at the
command line. Many people probably use the example given in the
python module documentation : "python -p 1234" However, if the port
were chosen at random and printed out, then only pydoc and the user
would know how to access the pydoc server.
I'm considering a similar strategy for a server based on the
CGIHTTPServer module, so comments would be welcome.
More information about the Python-list
mailing list