thanks, Graham! best regards -- Valery A.Khamenya
On Wed, Jul 1, 2009 at 12:02 PM, Graham Dumpleton < [email protected]> wrote: > > 2009/7/1 Valery Khamenya <[email protected]>: > > wow, Graham, that was a great answer and my questions are fully answered. > > it all was totally comprehensive for me except of this trailing part of > item > > 5: > > "... Do note though that byte > > coming the WSGI script file, even if it has a .py extension, shouldn't > > be done. This is because it isn't used and the .pyc file if in normal > > Apache document directory then might be downloadable as a static file." > > This is in part explained in: > > http://code.google.com/p/modwsgi/wiki/ReloadingSourceCode > > What is is alluding to is the fact that the WSGI script file is not > imported using the C library equivalent of 'import' or '__import__'. > Instead lower level functions are used which still results in a module > being produced, but their is no side effect of creating a .pyc or .pyo > file like with 'import' and '__import__'. > > Things are done this way for two reasons. The first is that 'import' > and '__import__' require the name of the code file to be unique and > that isn't going to happen for WSGI script files as resources in an > Apache document directory hierarchy. For example, you might have > index.py in multiple directories. > > As such, a module name is automatically fabricated based on the > absolute path name of the code file instead. This allows same file > name to be used in multiple directories without there being a clash. > Just remember this only applies to WSGI script files used as entry > points by mod_wsgi. All existing Python imports are as normal. > > The second reason for doing it this way is so as specifically not to > generate a .pyc/.pyo type file. This is so the Apache document > directories aren't polluted with the files if Apache user does have > write access. If it was done and AddHandler was used to map the code > file, with other files in the directory still being served as static > files, then those .pyc/.pyo files would normally be downloadable if > specific Apache configuration wasn't put in place to stop it. Although > byte code, they could be decompiled and someone could work out what > your code does. > > This is also the reason that Python module search path isn't updated > to automatically include the directory the WSGI script file is in. > Doing that would more easily allow people to stick other Python code > files in document directories, perhaps accidentally exposing the code > file or .pyc/.pyo files to download. > > So, the WSGI script files should usually have as little as possible in > them and act merely as a bridge for mapping to actual application code > located well away from Apache document directories. You should never > stick application code under mapped Apache document directories. It is > a mistake one often sees people do, even though it is a security risk > to do so and they could be opening themselves up to having their > application code downloaded. > > Graham > > > many thanks! > > best regards > > -- > > Valery A.Khamenya > > > > > > On Wed, Jul 1, 2009 at 3:33 AM, Graham Dumpleton > > <[email protected]> wrote: > >> > >> Do note though that byte > >> coming the WSGI script file, even if it has a .py extension, shouldn't > >> be done. This is because it isn't used and the .pyc file if in normal > >> Apache document directory then might be downloadable as a static file. > > > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~----------~----~----~----~------~----~------~--~---
