Securing PyDoc and CGIHTTPserver

Peter Hansen peter at engcorp.com
Thu Jul 10 16:30:31 CEST 2003


Jon Schull wrote:
> 
> PyDoc's author Ka-Ping Yee has suggested that PyDoc be patched to
> prevent access from unauthorized IP addresses
> (https://sourceforge.net/tracker/?func=detail&atid=305470&aid=672656&group_id=5470),
> and that without such a patch, its not " suitable for running on boxes
> that aren't behind firewalls"
> 
> It's hard to know how much to worry about such things (Comments?).
> 
> However, even with the patch, IP addresses can be spoofed.  Here is an
> additional security tactic that might be adopted.
> 
> The port number used by pydoc is currently set by the user at the
> command line.  Many people probably use the example given in the
> python module documentation : "python -p 1234"    However, if the port
> were chosen at random and printed out, then only pydoc and the user
> would know how to access the pydoc server.
> 
> I'm considering a similar strategy for a server based on the
> CGIHTTPServer module, so comments would be welcome.

My suggestion: don't attempt to mix security into each individual
application in a piecemeal manner.  Use the proper tools for the
job, such as firewalls.  Setting up a firewall on Linux or WinXP
is nearly trivial at this point, and the learning experience is
worth the effort for those who are new to this, so there's not 
much excuse for doing it properly, IMHO.

-Peter




More information about the Python-list mailing list