[mod_python] PSP global variables

Clodoaldo Pinto Neto clodoaldo.pinto at gmail.com
Sun Nov 5 18:09:53 EST 2006

2006/11/5, Graham Dumpleton <grahamd at dscpl.com.au>:
> Jim Gallacher wrote ..
> > You might want to mention that the security implications of using .psp_.
> > Perhaps use the example of making a database connection with the user
> > name and password in the psp file. You wouldn't want to use this on a
> > publicly facing website. :)
> What one can do for .psp_ files is use:
>   <Files *.psp_>
>   deny from all
>   allow from localhost
>   </Files>
> In other words, restrict access to requests from localhost, or some other
> appropriate site.

I added this nice and simple tip to the tutorial

> Unfortunately there isn't any way (that I know of), of specifying using just
> Apache configuration directives, that 'PythonDebug On' apply only to a
> specific client site. What one can do though is use a transhandler(), if in
> main configuration, or some later handler if in directory context and have:
>   def transhandler(req):
>     if req.connection. remote_ip in ['...']:
>       req.get_config()['PythonDebug'] = '1'
>     else:
>       req.get_config()['PythonDebug'] = '0'
>     return apache.DECLINED
> In some respects a later handler might be better as you can possibly
> override anything set in the Apache configuration to force such a policy.
> Users could still override you again, in their own handler, but makes
> them do one extra non obvious step.
> One could even get quite tricky and require the presence of a special
> cookie in the request, with the only way of getting the cookie being to
> have logged into some special page of your web site and have it enabled.

This is quite instructive. I don't know if you are suggesting to
include it in the tutorial. I fear that if i mention a transhandler in
a PSP tutorial the reader will flee in terror to never look back.

Regards, Clodoaldo Pinto Neto

More information about the Mod_python mailing list