[Chicago] Handling secret stuff: update

Chris Foresman foresmac at gmail.com
Mon May 16 22:15:43 EDT 2016 

Also, I’m guessing that PHP has some way to read in environment variables from the server its running on; this is typically the method used to secure API keys and the like on Django/Python web servers. Is this not an option for you?


Chris Foresman
foresmac at gmail.com




> On May 16, 2016, at 7:43 PM, Adam Forsyth <adam at adamforsyth.net> wrote:
> 
> Leon,
> 
> Please stop changing the subject of the thread, it makes it harder to follow the conversation and clutters up peoples' inboxes.
> 
> You're mistaken about it being a security problem if "dosomething.php" contains the secret key. If your web server is being configured correctly, the user of the site can't actually see the contents of "dosomething.php". The web server uses a PHP plugin to run "dosomething.php" as a program, and then sends its output to the web browser. So the contents of that file are secure -- anyone who has access to it already has access to the secret key.
> 
> 
> On Mon, May 16, 2016 at 5:02 PM, Leon Shernoff <leon at mushroomthejournal.com <mailto:leon at mushroomthejournal.com>> wrote:
> Hi, everyone
> 
> and thanks for the suggestions!
> 
> Thanks, Philip and Joshua. I have been reading OWASP and they are a big part of what scared *me* wrt this situation. :-)
> 
> Nick, I don't know how Django works. But @ the "code trail", Wordpress runs on php, which means that when you have a form on a page that's supposed to do stuff, the form says
> <form action="complete_pathname/dosomething.php" method="post">
> and the dosomething.php file is unencrypted text. If the that file contains or just is able to access the secret API key, I have a security problem. While a would-be hacker may not (shouldn't!) have permissions to get to that php file, they at least know where to look, or perhaps they can devise some method of triggering the form's actions and having its results directed to them. JavaScript has a similar problem -- any action you want a page to take is written down in unencrypted pages that are interpreted live. It sounds from what you're saying that Django has layers between the pages that it serves and code that it runs that make this not a problem.
> 
> In any case, this is the motivation behind my provisional idea of (something like) Japhy's solution -- I'm not running the host server, but at least perhaps I can trigger the more sensitive part of the operation by scheduled actions which are independent of anything that happens via a browser.
> 
> Thanks again. Your ideas help me think. :-)
> 
> -- 
> Best regards,
>     Leon
> 
> "Creative work defines itself; therefore, confront the work."
>      -- John Cage
> 
> 
> Leon Shernoff
> 1511 E 54th St, Bsmt
> Chicago, IL  60615
> 
> (312) 320-2190 <tel:%28312%29%20320-2190>
> 
> _______________________________________________
> Chicago mailing list
> Chicago at python.org <mailto:Chicago at python.org>
> https://mail.python.org/mailman/listinfo/chicago <https://mail.python.org/mailman/listinfo/chicago>
> 
> _______________________________________________
> Chicago mailing list
> Chicago at python.org
> https://mail.python.org/mailman/listinfo/chicago

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/chicago/attachments/20160516/8aeea4ba/attachment.html>

More information about the Chicago mailing list