Securing PyDoc and CGIHTTPserver

Harry George at
Thu Jul 10 19:23:54 CEST 2003

Peter Hansen <peter at> writes:

> Jon Schull wrote:
> > 
> > PyDoc's author Ka-Ping Yee has suggested that PyDoc be patched to
> > prevent access from unauthorized IP addresses
> > (,
> > and that without such a patch, its not " suitable for running on boxes
> > that aren't behind firewalls"
> > 
> > It's hard to know how much to worry about such things (Comments?).
> > 
> > However, even with the patch, IP addresses can be spoofed.  Here is an
> > additional security tactic that might be adopted.
> > 
> > The port number used by pydoc is currently set by the user at the
> > command line.  Many people probably use the example given in the
> > python module documentation : "python -p 1234"    However, if the port
> > were chosen at random and printed out, then only pydoc and the user
> > would know how to access the pydoc server.
> > 
> > I'm considering a similar strategy for a server based on the
> > CGIHTTPServer module, so comments would be welcome.
> My suggestion: don't attempt to mix security into each individual
> application in a piecemeal manner.  Use the proper tools for the
> job, such as firewalls.  Setting up a firewall on Linux or WinXP
> is nearly trivial at this point, and the learning experience is
> worth the effort for those who are new to this, so there's not 
> much excuse for doing it properly, IMHO.

Here, we have lots of COTS *NIX behind the corporate firewalls, and
want to provide internal security.  We do this with SSL'd
communications.  I can see how a firewall denies/allows specific IP
addresses (or at least claimed IP addresses), but not how it solves
sniffing, spoofing, man-in-the-middle, etc., where encryption
protocols are needed.

> -Peter

-- at
6-6M31 Knowledge Management
Phone: (425) 294-8757

More information about the Python-list mailing list