Securing PyDoc and CGIHTTPserver
schull at digitalgoods.com
Thu Jul 10 15:35:41 CEST 2003
PyDoc's author Ka-Ping Yee has suggested that PyDoc be patched to
prevent access from unauthorized IP addresses
and that without such a patch, its not " suitable for running on boxes
that aren't behind firewalls"
It's hard to know how much to worry about such things (Comments?).
However, even with the patch, IP addresses can be spoofed. Here is an
additional security tactic that might be adopted.
The port number used by pydoc is currently set by the user at the
command line. Many people probably use the example given in the
python module documentation : "python -p 1234" However, if the port
were chosen at random and printed out, then only pydoc and the user
would know how to access the pydoc server.
I'm considering a similar strategy for a server based on the
CGIHTTPServer module, so comments would be welcome.
More information about the Python-list