Webware for Python

I'm porting a site from Cold Fusion to Webware.  One thing CF does that I
like is that when you define a datasource in the CF Admin page, it stores
the username and password so it never has to appear in your pages.  In order
to interact with the database, the login must have some pretty powerful
priviledges that I wouldn't want in plain text files.  Is there any way to
hide the username and password for a datasource?

Another feature of CF that I've never had to use but it might be nice is the
ability to encrypt entire pages so the server can decrypt and serve them but
the source isn't easy to copy.

Re: [Webware-discuss] Database passwords From: Ian Bicking <ianb@co...> - 2001-04-02 16:51 "Jeff Johnson" <jeff@...> wrote: > I'm porting a site from Cold Fusion to Webware. One thing CF does that I > like is that when you define a datasource in the CF Admin page, it stores > the username and password so it never has to appear in your pages. In order > to interact with the database, the login must have some pretty powerful > priviledges that I wouldn't want in plain text files. Is there any way to > hide the username and password for a datasource? I don't know of any way to avoid putting the username/password in a plain text file somewhere. I always put the database-connection settings in a seperate file and import it (helps when moving from the testing to production db, etc). You can give this file particularly strict permissions. Really, if a Python program is going to login to a database it needs to have the same information a person needs to login to the database -- i.e., plaintext login information. You can obscure it some but you can't really hide it. I assume this is what CF does -- maybe it encrypts the information again, but that's just obscuring it too since the key to decrypt the information has to sit somewhere in plaintext. In Unix I suppose the solution would be to make the script suid to some privileged user who could access the login information. I'm not sure how I'd do that in Webware, though -- I guess you could make the AppServer suid to a somewhat privileged user, and just make sure that user has the necessary permissions but nothing else (i.e., one step above nobody). I'm even less sure how you'd do that on Windows. > Another feature of CF that I've never had to use but it might be nice is the > ability to encrypt entire pages so the server can decrypt and serve them but > the source isn't easy to copy. Well, there's no real limit on what you can do, though the key security still remains an issue. I've made Python wrappers for GPG, and they work well enough. There might be modules for encryption in Python -- I haven't really looked. You could make a servlet that decrypted the contents of a file, and a factory that associated this servlet with certain extensions. That's if you wanted to encrypt content. If you want to encrypt code, you'll have to go through many more gyrations, decrypting then evaluating. Considering the difficulty, it wouldn't really give you a whole lot more security -- it's unlikely you can secure the decryption key any better than you can secure the files. If you had people putting GPG/PGP encoded files in a public location however, you could gain real security. Also, if you receive the key from the user themselves and don't store it this will give you some security. If you can't be sure of the integrity and security of the server itself it's all rather difficult. -- Ian Bicking Colorstudy Web Design ianb@... http://www.colorstudy.com homepage: http://www.colorstudy.com/ianb 4769 N Talman Ave, Chicago, IL 60625 / (773) 275-7241

[Webware-discuss] file upload confusion From: Irene Barg <ibarg@as...> - 2001-04-02 18:54 Attachments: UploadFile.py      Hello, I'm not only new to Webware, but relatively new to Python, so be kind. I'm having a hard time porting simple Python cgi programs into Webware. As my first real attempt to programming in WebKit, I wanted to do a simple file upload servlet. I basically started with an example program called "putfile.cgi" written by Mark Lutz in "Programming Python", 2nd edition. I wrote: UploadFile.py - program to prompt the user for the filename; UploadFileRes.py - program to respond to the request (I won't discuss program here). If a field represents an uploaded file, how to access the cgi.FieldStorage() attribute for "value". The traceback says: /var/www/html/CosExp/Contributions/ Traceback (most recent call last): File "WebKit/Application.py", line 306, in dispatchRequest File "WebKit/Application.py", line 413, in handleGoodURL File "WebKit/Application.py", line 487, in awake File "WebKit/Transaction.py", line 88, in awake File "/home/barg/public_html/CosExp/Contributions/UploadFile.py", line 22, in awake filetext = fileinfo.value AttributeError: value The code for UploadFile.py is attached (it's not long). Your comments are appreciated, -- irene ---------------------------------------------------------------- Irene Barg Email: ibarg@... Steward Observatory Phone: 520-621-2602 933 N. Cherry Ave. University of Arizona FAX: 520-621-1891 Tucson, AZ 85721 http://nickel.as.arizona.edu/~barg ----------------------------------------------------------------

Re: [Webware-discuss] file upload confusion From: Geoff Talvola <gtalvola@na...> - 2001-04-02 20:32 Irene, You may be the first person to try file uploads with Webware! Unfortunately, it looks to me like HTTPRequest doesn't allow you to get at the contents of a file upload. In particular, there's a suspicious chunk of code starting with the comment: # We use the cgi module to get the fields, but then change them into an ordinary dictionary of values that looks like it's throwing away the necessary information to get the uploaded file's contents. This should be easy for one of the Webware developers to fix. Chuck? Jay? I don't have time to fix it right now. Irene Barg wrote: > Hello, > > I'm not only new to Webware, but relatively new to Python, > so be kind. I'm having a hard time porting simple Python > cgi programs into Webware. As my first real attempt to > programming in WebKit, I wanted to do a simple file upload > servlet. I basically started with an example program called > "putfile.cgi" written by Mark Lutz in "Programming Python", > 2nd edition. I wrote: > > UploadFile.py - program to prompt the user for the filename; > UploadFileRes.py - program to respond to the request (I > won't discuss program here). > > If a field represents an uploaded file, how to access the > cgi.FieldStorage() attribute for "value". > > -- - Geoff Talvola Parlance Corporation gtalvola@...

Re: [Webware-discuss] file upload confusion From: Irene Barg <ibarg@as...> - 2001-04-02 21:14 Geoff, Ok. I'll try to work around this. Thanks, --irene Geoff Talvola wrote: > > Irene, > > You may be the first person to try file uploads with Webware! Unfortunately, it looks to me like HTTPRequest doesn't allow you to get at the contents of a file upload. In particular, there's a suspicious chunk of code starting with the comment: > > # We use the cgi module to get the fields, but then change them into an ordinary dictionary of values > > that looks like it's throwing away the necessary information to get the uploaded file's contents. > > This should be easy for one of the Webware developers to fix. Chuck? Jay? I don't have time to fix it right now. > > Irene Barg wrote: > > > Hello, > > > > I'm not only new to Webware, but relatively new to Python, > > so be kind. I'm having a hard time porting simple Python > > cgi programs into Webware. As my first real attempt to > > programming in WebKit, I wanted to do a simple file upload > > servlet. I basically started with an example program called > > "putfile.cgi" written by Mark Lutz in "Programming Python", > > 2nd edition. I wrote: > > > > UploadFile.py - program to prompt the user for the filename; > > UploadFileRes.py - program to respond to the request (I > > won't discuss program here). > > > > If a field represents an uploaded file, how to access the > > cgi.FieldStorage() attribute for "value". > > > > > -- > > - Geoff Talvola > Parlance Corporation > gtalvola@... > > _______________________________________________ > Webware-discuss mailing list > Webware-discuss@... > http://lists.sourceforge.net/lists/listinfo/webware-discuss -- ---------------------------------------------------------------- Irene Barg Email: ibarg@... Steward Observatory Phone: 520-621-2602 933 N. Cherry Ave. University of Arizona FAX: 520-621-1891 Tucson, AZ 85721 http://nickel.as.arizona.edu/~barg ----------------------------------------------------------------

Re: [Webware-discuss] file upload confusion From: Ian Bicking <ianb@co...> - 2001-04-02 22:18 I have in the past used file upload from the cgi library without any problem, by treating it just like any other value. You have to do extra stuff or you lose the extra information (the filename, perhaps filetype? I can't remember), and I don't think there's any way to get that from Webware at this point. Irene, if you just want the contents I believe they will be in fileinfo (as a string), i.e., change "fileinfo.value" to "fileinfo". Geoff Talvola <gtalvola@...> wrote: > Irene, > > You may be the first person to try file uploads with Webware! Unfortunately, it looks to me like HTTPRequest doesn't allow you to get at the contents of a file upload. In particular, there's a suspicious chunk of code starting with the comment: > > # We use the cgi module to get the fields, but then change them into an ordinary dictionary of values > > that looks like it's throwing away the necessary information to get the uploaded file's contents. > > This should be easy for one of the Webware developers to fix. Chuck? Jay? I don't have time to fix it right now. > > > Irene Barg wrote: > > > Hello, > > > > I'm not only new to Webware, but relatively new to Python, > > so be kind. I'm having a hard time porting simple Python > > cgi programs into Webware. As my first real attempt to > > programming in WebKit, I wanted to do a simple file upload > > servlet. I basically started with an example program called > > "putfile.cgi" written by Mark Lutz in "Programming Python", > > 2nd edition. I wrote: > > > > UploadFile.py - program to prompt the user for the filename; > > UploadFileRes.py - program to respond to the request (I > > won't discuss program here). > > > > If a field represents an uploaded file, how to access the > > cgi.FieldStorage() attribute for "value". > > > > > -- > > > - Geoff Talvola > Parlance Corporation > gtalvola@... > > > _______________________________________________ > Webware-discuss mailing list > Webware-discuss@... > http://lists.sourceforge.net/lists/listinfo/webware-discuss >

Re: [Webware-discuss] file upload confusion From: Chuck Esterbrook <echuck@mi...> - 2001-04-02 22:32 At 04:32 PM 4/2/2001 -0400, Geoff Talvola wrote: >This should be easy for one of the Webware developers to >fix. Chuck? Jay? I don't have time to fix it right now. Uh, you're not the only one. :-) Right now HTTPRequest returns the actual values for the fields. Someone pointed out that even if this worked for file uploads, you might not want the whole whopping file in memory. I *thought* someone posted a patch to fix this mess. It might have been vlk. Anyone remember that? -Chuck

Re: [Webware-discuss] file upload confusion From: Sam Penrose <sam@dd...> - 2001-04-02 22:43 WARNING: UNTESTED CODE This is from a transition-to-webware object that I use to wrap cgi.FieldStorage, analogous to HTTPRequest. I have not tested it yet, but it is pretty straightforward. The basic idea is that you call this during __init__ and it sets a flag and captures the client-side filenames, if they exist. Someone with CVS write access could probably modify it for HTTPRequest pretty quickly. def lookForFileUploads(self): """See if there are file uploads in the form; set a flag and a dictionary of key:clientSideFileName pairs appropriately.""" self.hasFileUploads = 0 self.clientSideFileNames = {} try: testObject = self.fieldStorage.list[0] except IndexError: return #no keys == no uploads if not hasattr(testObject, 'filename'): return #if one can't have file, all can't. fieldObjectsWithFiles = filter( lambda fieldStorage: fieldStorage.file, self.fieldStorage.list) if not fieldObjectsWithFiles: return #no fields actually had a file in them self.hasFileUploads = 1 for fieldObject in fieldObjectsWithFiles: self.clientSideFileNames[fieldObject.name] = fieldObject.filename On Mon, 02 Apr 2001, you wrote: > At 04:32 PM 4/2/2001 -0400, Geoff Talvola wrote: > >This should be easy for one of the Webware developers to > >fix. Chuck? Jay? I don't have time to fix it right now. > > Uh, you're not the only one. :-) > > > Right now HTTPRequest returns the actual values for the fields. Someone > pointed out that even if this worked for file uploads, you might not want > the whole whopping file in memory. I *thought* someone posted a patch to > fix this mess. It might have been vlk. > > Anyone remember that? > > > -Chuck > > > _______________________________________________ > Webware-discuss mailing list > Webware-discuss@... > http://lists.sourceforge.net/lists/listinfo/webware-discuss

1 message has been excluded from this view by a project administrator.