Addendum: It is true that the statement that "debug=true is a major security risk" is in the next section in docs:"Getting Started", but nevertheless that is a section after the user is encouraged to start up the site with paster. May I humbly recommend also moving that section up before the "Testing the template project" section, in addition to the other suggestions in case the user does not read that section of the documentation because they gleaned paster --reload development.ini from somewhere else.
Sincerely, Mats On Jul 5, 8:34 pm, Mats <[EMAIL PROTECTED]> wrote: > Hello, > > I just installed Pylons and found the ability to execute python > commands within the traceback pretty cool. > > Unfortunately I'm concerned that this could be a major security > vulnerability. I was expecting that there might be some restriction on > which machines can access the server, e.g. only to accept HTTP > requests from localhost. I asked a friend to check from his computer > and this was not the case: I was giving shell access to my machine to > the entire web! > > It seems that some bright hacker or hacker network could look for > computers with port 5000 open and attempt to make an HTTP request for > a non-existent page, and if it's running Pylons then the script could > automatically insert very nasty code into the traceback from the 404- > like error message... > > ( Yes, the development.ini file says that we should enable the > debug=False option for production, but in my humble opinion 1) that > message seems rather hidden (as opposed to an explicit warning yes/no > prompt the first time one runs "paster --serve development.ini"), and > 2) it seems to imply that running with debug=True as the default state > is fine when you're new to Pylons and just wish to test this out of > the box. ) > > Please, could someone confirm or allay my confusion as to why this is > not a major security vulnerability and not off by default?, and > perhaps suggest a way to keep this feature on but restrict access? > > At the very least, I would humbly recommend a command-line prompt when > starting up for the first time... > > Thank you, > Mats --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
