It's probably worth adding a note in the docs reminding people to use a <Files> filter (or other means) to disallow access to the PYCs generated by PyApache when running scripts. If you forget to do this, attackers can download the Python bytecodes, resulting in possible security problems, especially if database connection user/pass details are included in the script.
There also seems to be something very odd about the way PyApache creates PYC files. I often use the extension '.p' for my scripts, leaving '.py' free for downloadable Python files. PyApache creates the PYCs with a '.pc' extension. This is fine. Similarly, a file named 'hello.' will end up with a PYC at 'hello.c'. However, other extensions ('hell.o', '.hello', 'hello' without an extension) cause a "invalid or corrupted PYC" error and fail to run the script.
Is there a workaround for this? I would like to be able to run Python scripts without an extension using "ForceType python-cgi-script" for pretty URLs without using mod_rewrite.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It's probably worth adding a note in the docs reminding people to use a <Files> filter (or other means) to disallow access to the PYCs generated by PyApache when running scripts. If you forget to do this, attackers can download the Python bytecodes, resulting in possible security problems, especially if database connection user/pass details are included in the script.
There also seems to be something very odd about the way PyApache creates PYC files. I often use the extension '.p' for my scripts, leaving '.py' free for downloadable Python files. PyApache creates the PYCs with a '.pc' extension. This is fine. Similarly, a file named 'hello.' will end up with a PYC at 'hello.c'. However, other extensions ('hell.o', '.hello', 'hello' without an extension) cause a "invalid or corrupted PYC" error and fail to run the script.
Is there a workaround for this? I would like to be able to run Python scripts without an extension using "ForceType python-cgi-script" for pretty URLs without using mod_rewrite.