Here's a git-diff. It disables remote debug & cachedump support.
Feedback is welcomed. It works fine on our server since this morning. Sorry for not having posted this earlier. //Logan C-x-C-c Esokia Web Agency http://www.esokia-webagency.com/ diff --git a/memcached.c b/memcached.c index 750c8b3..eb0343f 100644 --- a/memcached.c +++ b/memcached.c @@ -2336,8 +2336,7 @@ inline static void process_stats_detail(conn *c, const char *command) { assert(c != NULL); if (strcmp(command, "on") == 0) { - settings.detail_enabled = 1; - out_string(c, "OK"); + out_string(c, "Remote debug support disabled"); } else if (strcmp(command, "off") == 0) { settings.detail_enabled = 0; @@ -2469,27 +2468,7 @@ static void process_stat(conn *c, token_t *tokens, const size_t ntokens) { } else if (strcmp(subcommand, "settings") == 0) { process_stat_settings(&append_stats, c); } else if (strcmp(subcommand, "cachedump") == 0) { - char *buf; - unsigned int bytes, id, limit = 0; - - if (ntokens < 5) { - out_string(c, "CLIENT_ERROR bad command line"); - return; - } - - if (!safe_strtoul(tokens[2].value, &id) || - !safe_strtoul(tokens[3].value, &limit)) { - out_string(c, "CLIENT_ERROR bad command line format"); - return; - } - - if (id >= POWER_LARGEST) { - out_string(c, "CLIENT_ERROR Illegal slab id"); - return; - } - - buf = item_cachedump(id, limit, &bytes); - write_and_free(c, buf, bytes); + out_string(c, "Cachedump disabled"); return ; } else { /* getting here means that the subcommand is either engine specific or On Sat, Aug 7, 2010 at 6:24 PM, Henrik Schröder <[email protected]> wrote: > What do you mean "at startup"? I click "start service" in my service > control panel, and then... where would that warning be displayed? > > Seriously though, there are many ways to solve this problem, binding to > private IPs is one way to do it, but not necessarily the best way, and > definitely not the only way. If you run memcached you should realize that > there's no security whatsoever on it, and leaving it open to the internet at > large is a pretty stupid idea. How to best secure it depends greatly on the > local circumstances, and that is not something memcached itself should start > second-guessing the local admins about. > > > /Henrik > > > On Sat, Aug 7, 2010 at 14:09, samwyse <[email protected]> wrote: > >> I've just now suggested this on Slashdot: At startup, issue a big >> multi-line warning if the IP addresses that are getting bound aren't >> on the loopback address or a private internet. The private internets >> are defined in RFC 1918 as: >> >> 10.0.0.0 - 10.255.255.255 (10/8 prefix) >> 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) >> 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) >> > > -- `` Real men run current !''
