Securing PyDoc and CGIHTTPserver

Harry George harry.g.george at boeing.com
Thu Jul 10 16:45:57 CEST 2003


schull at digitalgoods.com (Jon Schull) writes:

> PyDoc's author Ka-Ping Yee has suggested that PyDoc be patched to
> prevent access from unauthorized IP addresses
> (https://sourceforge.net/tracker/?func=detail&atid=305470&aid=672656&group_id=5470),
> and that without such a patch, its not " suitable for running on boxes
> that aren't behind firewalls"
> 
> It's hard to know how much to worry about such things (Comments?).   
> 
> However, even with the patch, IP addresses can be spoofed.  Here is an
> additional security tactic that might be adopted.
> 
> The port number used by pydoc is currently set by the user at the
> command line.  Many people probably use the example given in the
> python module documentation : "python -p 1234"    However, if the port
> were chosen at random and printed out, then only pydoc and the user
> would know how to access the pydoc server.
> 
> I'm considering a similar strategy for a server based on the
> CGIHTTPServer module, so comments would be welcome.

"Security through Obscurity" (e.g., random ports) is not the way to
go.  Instead, use SSL.  This can be done through a CGI on Apache
through an SSL'd port, or it can be done with stunnel.  [Or it might
even be done with raw python using pyOpenSSL or M2Crypto (which I
haven't done, so I can't tell you anything that direction).]


-- 
harry.g.george at boeing.com
6-6M31 Knowledge Management
Phone: (425) 294-8757




More information about the Python-list mailing list