On Wed, May 12, 2010 at 7:07 AM, djidjadji <[email protected]> wrote:
> 2010/5/12 djidjadji <[email protected]>: > > If you want to prevent your client to download your code with the > > method Nick describes just choose some random URLs for the remote_api > > and the deferred handler > > > > The problem is that these random URLs are visible in the logs. > > The only solution is to prevent the use of eval in deferred calls. > Actually, a better solution is to simply not enable both remote_api and deferred if you are providing your app as a service and do not want it to be possible for users to download the source. Alternately, you could instead patch remote_api to restrict the APIs it can access - simply disabling remote access to the task queue would be sufficient to prevent my hack from working. -Nick Johnson > You must make your own deferred handler and filter out the use of eval. > app.yaml get setup like this > > ----------------- > - url: /_ah/queue/deferred > script: mydeferred_handler.py > login: admin > ----------------- > > mydeferred_handler.py is an adjustment of the default handler.py and > deferred.py parts for the execution of deferred tasks. > > We also have to look for eval inside the run_from_datastore. And that > could be wrapped inside a run_from_datastore ....... Unpack the > request until we have an other function call. > > In this deferred handler I have also disabled the INFO logging of > every deferred Task invocation. > This helps in browsing the log, no unneeded log entries. > > And I use the logging.error to log the failure, this does not show a > stack trace. > > Be sure to remove the CodeFile objects once you stored them locally. > > ------------------mydeferred_handler.py--------------------- > # Alternative deferred handler to eliminate the execution of eval() > > import logging > import os > import pickle > > from google.appengine.ext import db > from google.appengine.ext import webapp > from google.appengine.ext.webapp.util import run_wsgi_app > from google.appengine.ext import deferred > > def test_for_builtin_eval(func): > if func.__name__=='eval' and func.__module__=='__builtin__': > raise deferred.PermanentTaskFailure() > > class _DeferredTaskEntity(db.Model): > data = db.BlobProperty(required=True) > > def my_run_from_datastore(key): > entity = _DeferredTaskEntity.get(key) > if not entity: > raise deferred.PermanentTaskFailure() > try: > ret = my_run(entity.data) # prevent a run_from_datastore inside a > run_from_datastore > entity.delete() > except deferred.PermanentTaskFailure: > entity.delete() > raise > > def my_run(data): > try: > func, args, kwds = pickle.loads(data) > except Exception, e: > raise deferred.PermanentTaskFailure(e) > else: > test_for_builtin_eval(func) > # test if we run from datastore > if func.__name__=='run_from_datastore' and \ > func.__module__=='google.appengine.ext.deferred.deferred': > return my_run_from_datastore(*args,**kwds) > else: > return func(*args, **kwds) > > class TaskHandler(webapp.RequestHandler): > def post(self): > #headers = ["%s:%s" % (k, v) for k, v in self.request.headers.items() > # if k.lower().startswith("x-appengine-")] > #logging.info(", ".join(headers)) > > try: > my_run(self.request.body) > except deferred.PermanentTaskFailure, e: > # if you need the stacktrace mail it to your developer email adress > # use ERROR: no logging of filenames > logging.error("Permanent failure attempting to execute task") > > application = webapp.WSGIApplication([(".*", TaskHandler)]) > > def main(): > run_wsgi_app(application) > > if __name__ == "__main__": > main() > ------------------------------------------------------------------------ > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-appengine%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > > -- Nick Johnson, Developer Programs Engineer, App Engine Google Ireland Ltd. :: Registered in Dublin, Ireland, Registration Number: 368047 Google Ireland Ltd. :: Registered in Dublin, Ireland, Registration Number: 368047 -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
