Securing PyDoc and CGIHTTPserver

Peter Hansen peter at engcorp.com
Mon Jul 14 21:23:57 CEST 2003


Jon Schull wrote:
> 
> Well, for what its worth, I was thinking about "sniffing, spoofing, or
> main-in-the-middle attacks", and I was hoping for something I could
> stick into a program for unsophisticated users (e.g, those to whom one
> might give a notepad-like application, albeit with a local webserver
> interface).
> 
> Everyone who connects to the internet should have a firewall BUT must
> all who import httpserver implement or insist on a firewall for all
> their users?  Realistically?  I don't want to think so.

Yes, provided they are running code that is not considered inherently 
safe and provided they have sockets that are listening on all interfaces
as opposed to those which bind solely to localhost/127.0.0.1, then I
believe they *should* have a firewall.  Doing anything else is playing
with fire, and a bad habit to get into as well.

If this is merely a "local webserver interface", then it should bind
to localhost only.  If it is intended for local use on a network, and
therefore must bind to an external interface, then it's perfectly
safe, provided there is no connection to the Internet on that network,
or there is a firewall on any such connection.  End of story.  (Said
as black and white to encourage discussion, not necessarily because I 
truly believe that...)

-Peter




More information about the Python-list mailing list