[Chicago] Handling secret stuff: update

Adam Forsyth adam at adamforsyth.net
Mon May 16 20:43:55 EDT 2016 

Leon,

Please stop changing the subject of the thread, it makes it harder to
follow the conversation and clutters up peoples' inboxes.

You're mistaken about it being a security problem if "dosomething.php"
contains the secret key. If your web server is being configured correctly,
the user of the site can't actually see the contents of "dosomething.php".
The web server uses a PHP plugin to run "dosomething.php" as a program, and
then sends its output to the web browser. So the contents of that file are
secure -- anyone who has access to it already has access to the secret key.


On Mon, May 16, 2016 at 5:02 PM, Leon Shernoff <leon at mushroomthejournal.com>
wrote:

> Hi, everyone
>
> and thanks for the suggestions!
>
> Thanks, Philip and Joshua. I have been reading OWASP and they are a big
> part of what scared *me* wrt this situation. :-)
>
> Nick, I don't know how Django works. But @ the "code trail", Wordpress
> runs on php, which means that when you have a form on a page that's
> supposed to do stuff, the form says
> <form action="complete_pathname/dosomething.php" method="post">
> and the dosomething.php file is unencrypted text. If the that file
> contains or just is able to access the secret API key, I have a security
> problem. While a would-be hacker may not (shouldn't!) have permissions to
> get to that php file, they at least know where to look, or perhaps they can
> devise some method of triggering the form's actions and having its results
> directed to them. JavaScript has a similar problem -- any action you want a
> page to take is written down in unencrypted pages that are interpreted
> live. It sounds from what you're saying that Django has layers between the
> pages that it serves and code that it runs that make this not a problem.
>
> In any case, this is the motivation behind my provisional idea of
> (something like) Japhy's solution -- I'm not running the host server, but
> at least perhaps I can trigger the more sensitive part of the operation by
> scheduled actions which are independent of anything that happens via a
> browser.
>
> Thanks again. Your ideas help me think. :-)
>
> --
> Best regards,
>     Leon
>
> "Creative work defines itself; therefore, confront the work."
>      -- John Cage
>
>
> Leon Shernoff
> 1511 E 54th St, Bsmt
> Chicago, IL  60615
>
> (312) 320-2190
>
> _______________________________________________
> Chicago mailing list
> Chicago at python.org
> https://mail.python.org/mailman/listinfo/chicago
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/chicago/attachments/20160516/579ebc23/attachment.html>

More information about the Chicago mailing list