On 2011-03-23 12:27:09 -0700, Daniel Holth said:
It would be fair to note that for the 'debug=hostname' convention you
would also have to write the code to check the hostname against the
debugged-ness.
Of course. Getting the hostname is trivial, however.
(import platform; print platform.uname()[1]) Both hostname (server
check) as well as IP address access restrictions are planned for
marrow.wsgi.debug, with a secure default of <host name on blueprint
creation> + restrict to 127.0.0.1.
However, I suggest the strongest protection would be to not install
Werkzeug at all in the Python environment that runs your production
service.
Don't you mean WebError or Paste's debug middleware? Both are somewhat
required for normal operation, WebError for e-mail delivery of
exceptions and Paste because it's a monolithic package.
The unavailability of other resources such as 'the testing database'
could also prevent your code from running at all in production if you
make the boneheaded mistake of trying to run it with the development
config file.
This is true; though often my development and production database
connection information is the same, or simply has a different password.
No reason not to offer a secure, sane default, however.
— Alice.
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
