|
Graham Dumpleton
grahamd at dscpl.com.au
Sun Nov 5 16:13:39 EST 2006
Jim Gallacher wrote ..
> You might want to mention that the security implications of using .psp_.
> Perhaps use the example of making a database connection with the user
> name and password in the psp file. You wouldn't want to use this on a
> publicly facing website. :)
What one can do for .psp_ files is use:
<Files *.psp_>
deny from all
allow from localhost
</Files>
In other words, restrict access to requests from localhost, or some other
appropriate site.
Unfortunately there isn't any way (that I know of), of specifying using just
Apache configuration directives, that 'PythonDebug On' apply only to a
specific client site. What one can do though is use a transhandler(), if in
main configuration, or some later handler if in directory context and have:
def transhandler(req):
if req.connection. remote_ip in ['...']:
req.get_config()['PythonDebug'] = '1'
else:
req.get_config()['PythonDebug'] = '0'
return apache.DECLINED
In some respects a later handler might be better as you can possibly
override anything set in the Apache configuration to force such a policy.
Users could still override you again, in their own handler, but makes
them do one extra non obvious step.
One could even get quite tricky and require the presence of a special
cookie in the request, with the only way of getting the cookie being to
have logged into some special page of your web site and have it enabled.
Graham
|