I'll start by saying that I could very well be wrong about this, but this looks like a security problem to me. In the standard development.ini file for every paster project (Pylons 0.96, paste 1.7.1) , the host and debug are set as: host = 0.0.0.0 # WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT* # Debug mode will enable the interactive debugging tool, allowing ANYONE to # execute malicious code after an exception is raised. #set debug = false
This seems odd to me. Debug mode allows ANYONE to execute malicious code, yet connections are accepted from ANYONE by default in debug mode. Shouldn't host only accept connections from the localhost by default considering how debug allows arbitrary code execution? If I'm wrong, I'm very sorry for raising alarm bells (could someone please enlighten me as to why this isn't a problem?), but if I'm not, shouldn't this be changed? Thanks for your help, Nick --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
