Hello Christoph, On Jul 6, 4:50 am, Christoph Haas <[EMAIL PROTECTED]> wrote: > Hi, Mats... > > The warning about the debug mode isn't that hard to find. The senior chief > deployment officer is supposed to customize the INI file anyway because > that's what controls the behavior of the deployed application. You can't > really blame the developer of the software if their users don't read the > documentation.
However I DID read the documentation: I read the first two sections entitled "Installing Pylons" and "Getting Started", which nowhere state that modifying the development.ini file is necessary (or even encourage it) before the point that the user was encouraged to run the startup script. > Pylons is lead developed in the USA but I hope that doesn't meant that we > others need all these security stickers like telling that microwaves > aren't suited well for drying cats and that you should remove the > sunscreen from your car before driving. Most likely not. =) > The warning is there. And the paste_deploy_config.ini_tmpl (the template > that is used to create INI files when you deploy the application) has set > debug to False. So almost everybody should be safe. And the others deserve > to get hacked. :) I am so glad that a concern plus two kind suggestions by a newcomer to the fine Pylons community, was addressed by sarcasm (paragraph 2) and "that I deserve to get hacked" (paragraph 3) as a response. After further pondering, I feel this is a valid concern (not addressed in docs or startup script), and I would kindly reiterate to the community that this seems in my humble opinion like a security vulnerability, and some simple ways to address this might be to 1) inform the user while running the startup script, or to 2) restrict the session to localhost-only with a warning of how to disable this in a startup script message (with a warning to disable debug), or to 3) disable this feature by default but mention how to enable it in the documentation (which would be unfortunate because it is a cool feature), as well as to modify the warning message in development.ini (should the user happen to see it) to change the words "a production environment" to "any environment not in a sandbox". If people disagree with my sentiments (that this was addressed before docs:GettingStarted-section3, or that looking at the development.ini file should be obvious for a newbie, or that this would be hard to exploit), my intent was to merely state my concern and a few suggestions, not argue it. Hope it helps. Best wishes, Mats > Cheers > Christoph > -- > When you do things right people won't be sure you've done anything at all. > > signature.asc > 1KDownload > On Sonntag, 6. Juli 2008, Mats wrote: > > > I just installed Pylons and found the ability to execute python > > commands within the traceback pretty cool. > > > Unfortunately I'm concerned that this could be a major security > > vulnerability. I was expecting that there might be some restriction on > > which machines can access the server, e.g. only to accept HTTP > > requests from localhost. I asked a friend to check from his computer > > and this was not the case: I was giving shell access to my machine to > > the entire web! > > > It seems that some bright hacker or hacker network could look for > > computers with port 5000 open and attempt to make an HTTP request for > > a non-existent page, and if it's running Pylons then the script could > > automatically insert very nasty code into the traceback from the 404- > > like error message... > > > ( Yes, the development.ini file says that we should enable the > > debug=False option for production, but in my humble opinion 1) that > > message seems rather hidden (as opposed to an explicit warning yes/no > > prompt the first time one runs "paster --serve development.ini"), and > > 2) it seems to imply that running with debug=True as the default state > > is fine when you're new to Pylons and just wish to test this out of > > the box. ) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
