[mod_python] PSP global variables

Graham Dumpleton grahamd at dscpl.com.au
Sun Nov 5 16:13:39 EST 2006


Jim Gallacher wrote ..
> You might want to mention that the security implications of using .psp_.
> Perhaps use the example of making a database connection with the user 
> name and password in the psp file. You wouldn't want to use this on a 
> publicly facing website. :)

What one can do for .psp_ files is use:

  <Files *.psp_>
  deny from all
  allow from localhost
  </Files>

In other words, restrict access to requests from localhost, or some other
appropriate site.

Unfortunately there isn't any way (that I know of), of specifying using just
Apache configuration directives, that 'PythonDebug On' apply only to a
specific client site. What one can do though is use a transhandler(), if in
main configuration, or some later handler if in directory context and have:

  def transhandler(req):
    if req.connection. remote_ip in ['...']:
      req.get_config()['PythonDebug'] = '1'
    else:
      req.get_config()['PythonDebug'] = '0'
    return apache.DECLINED

In some respects a later handler might be better as you can possibly
override anything set in the Apache configuration to force such a policy.
Users could still override you again, in their own handler, but makes
them do one extra non obvious step.

One could even get quite tricky and require the presence of a special
cookie in the request, with the only way of getting the cookie being to
have logged into some special page of your web site and have it enabled.

Graham


More information about the Mod_python mailing list