|
Clodoaldo Pinto Neto
clodoaldo.pinto at gmail.com
Sun Nov 5 18:09:53 EST 2006
2006/11/5, Graham Dumpleton <grahamd at dscpl.com.au>: > Jim Gallacher wrote .. > > You might want to mention that the security implications of using .psp_. > > Perhaps use the example of making a database connection with the user > > name and password in the psp file. You wouldn't want to use this on a > > publicly facing website. :) > > What one can do for .psp_ files is use: > > <Files *.psp_> > deny from all > allow from localhost > </Files> > > In other words, restrict access to requests from localhost, or some other > appropriate site. I added this nice and simple tip to the tutorial > Unfortunately there isn't any way (that I know of), of specifying using just > Apache configuration directives, that 'PythonDebug On' apply only to a > specific client site. What one can do though is use a transhandler(), if in > main configuration, or some later handler if in directory context and have: > > def transhandler(req): > if req.connection. remote_ip in ['...']: > req.get_config()['PythonDebug'] = '1' > else: > req.get_config()['PythonDebug'] = '0' > return apache.DECLINED > > In some respects a later handler might be better as you can possibly > override anything set in the Apache configuration to force such a policy. > Users could still override you again, in their own handler, but makes > them do one extra non obvious step. > > One could even get quite tricky and require the presence of a special > cookie in the request, with the only way of getting the cookie being to > have logged into some special page of your web site and have it enabled. This is quite instructive. I don't know if you are suggesting to include it in the tutorial. I fear that if i mention a transhandler in a PSP tutorial the reader will flee in terror to never look back. Regards, Clodoaldo Pinto Neto
|