Red Hat Bugzilla – Bug 813122
Add the ability to enable hash randomization in mod_wsgi apps
Last modified: 2016-09-19 22:47:50 EDT
+++ This bug was initially created as a clone of Bug #812398 +++
The latest version of Python supports hash randomization.
For webapps deployed with mod_wsgi, it's not trivial to enable this feature to secure your webapp.
I first attemped to enable this feature by modifying apache's init script (https://fedorahosted.org/fedora-infrastructure/ticket/3169). This approach is not ideal, because it adds Python-specific options to the Apache init script, which tends to be distro-specific anyway.
The ideal solution is to add an option to mod_wsgi that allows the user to enable hash randomization. I wrote a patch that adds a WSGIHashSeed option, and sent it upstream.
SRPM with patch: http://lmacken.fedorapeople.org/rpms/mod_wsgi-3.3-3.fc18.src.rpm
Any idea why adding PYTHONHASHSEED=random to /etc/sysconfig/httpd is not sufficient?
(In reply to Joe Orton from comment #2)
> Any idea why adding PYTHONHASHSEED=random to /etc/sysconfig/httpd is not
It is sufficient, but not ideal. I'm fine with closing out this bug if you would like, but we're still shipping very old mod_wsgi in RHEL7, which has a proper configuration directive for this.