|
Graham Dumpleton
grahamd at dscpl.com.au
Thu Oct 13 00:08:49 EDT 2005
With the mention of a site using PSP on the list, this might be a good
time to highlight an issue related to mod_python.psp that anyone using
it should be aware of. Quoting the documentation:
If PythonDebug server configuration is On, then by appending an
underscore ("_") to the end of the url you can get a nice side-by-side
listing of original PSP code and resulting Python code generated by the
psp module. This is very useful for debugging.
Note: Leaving debug on in a production environment will allow remote
users to display source code of your PSP pages!
It is therefore generally not a good idea to use PythonDebug if you are
using mod_python.psp on a publically accessible site. If you really do
need PythonDebug to be enabled, I would at least recommend that the
following also be placed into your Apache configuration.
<Files *.psp_>
deny from all
</Files>
At least then if you have PythonDebug on so you can see stack traces,
you don't also expose your source code. If you wanted to, you could
still allow source code access if from selected hosts. You could also
ensure that PythonDebug is only on if requests come from selected
hosts.
Even with such a block, it is not a good idea to put database login
names and passwords in any file in your document root. If it needs to be
in a Python code file, put that module elsewhere and extend the Python
path to add that location and use "import" to get it. At least then if
the Apache configuration is mucked up in some other way, such
sensitive information is not accessible if someone manages to fetch
back your raw files.
Graham
|