By your assumption that arbitrary code execution will affect your SDK binaries (either java or python), I'am assuming that you are using Windows, downloading the SDK binaries from untrusted websites or not running the MD5 checksums. I suggest you to do all these: use Linux, downlaod only the code from Google and never deploy untrusted jars / python code with your application.
Hope this helps, -Ronoaldo Em terça-feira, 13 de março de 2012 17h50min01s UTC-3, Kaan Soral escreveu: > > If the SDK is accessible to the outer world, it poses a HUGE security risk > > One can simply write a script for "Interactive > Console<http://localhost/_ah/admin/interactive>" > and steal all your code/data > > To prevent this - one may restrict access to Development Console and > permit only 127.0.0.1, this can be easily done by modifying the Handlers of > the Development Console > > Can you guys think of any other security holes? > > I've been meaning to ask this for a long time, but at the same time I > didn't want to attract anyone to exploit these risks - but here it is anyway > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/3IIWLIKjUHkJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
