If you are using Ubiquitous Larch on your personal desktop or laptop computer, this will not affect you, as by default, Ubiquitous Larch is only accessible from a browser running on the local machine (localhost).
If you wish to run Ubiquitous Larch on a public web server, you need to take security precautions. Running Ubiquitous Larch will allow other people to run arbitrary Python code on your server. It has been found to be largely impossible to do this in a secure manner. As a consequence, Ubiquitous Larch uses a global password for security; providing user accounts would give a false sense of security, as one of your users could use the Python interpreter to access the authentication system to elevate their privileges, making account based authentication useless. By giving a user the global password, assume that you are granting the user the same access rights available to the web server process. You should assume that allowing access to a Python interpreter would permit:
Therefore, it would be advisable to ensure that:
The author(s) of Ubiquitous Larch take NO responsibility for any damage, or indeed anything that occur as a result of its use.
If you are not comfortable with the above conditions or do not understand them, please do not use this software.
The Ubiquitous Larch package available from the download page includes a WSGI server module called wsgi_ularch. This module defines a variable called app that implements the WSGI application interface.
When you first start the server, you will get a page that warns you of the security implications and informs you of the procedure for setting the global password. Please follow these instructions to get started.