+ 1
2008/5/16 Fabien POTENCIER <[EMAIL PROTECTED]>: > > I like the simplicity, the simple configurability, ... well everything. > > +1 for me > > Fabien > > -- > Fabien Potencier > Sensio CEO - symfony lead developer > sensiolabs.com | symfony-project.com | aide-de-camp.org > Tél: +33 1 40 99 80 80 > > > Fabian Lange wrote: > > Hi *, > > Interesting that there are so many replies. > > Ill reply to the initial posting, cause I feel that I can't agree on any > > other. > > > > My proposal is: make symfony safe for people that don't know what they > are > > doing. > > I say that because: > > http://www.google.de/search?q=inurl:frontend_dev.php > > > > I just assume that everything was deployed to the live system. > > As this should work also for all servers it shouldn't be a .htaccess > based > > solution. > > > > To follow my proposal, and make it really simple: > > > > Add to all non production controllers: > > > > <?php > > //This prevents accidental access to non production frontends > > if (!in_array($_SERVER['REMOTE_ADDR'], array('127.0.0.1'))) > > { > > echo('Your IP '.$_SERVER['REMOTE_ADDR'].' is not in set of allowed > IPs.'); > > echo('Check '.__FILE__.' For more information. '); > > die(); > > } > > ?> > > > > This is: > > - easy: No config required. Works by default 100% secure. > > - extensible: If devs want to keep it, its easy to understand where to > add > > new ips. > > - performant: Absolutely no impact on the production controller > (compared > > with apache and filter rules) > > - removable: remove those 7 lines and you have removed the whole default > > protection > > - dummy safe: you can deploy it to server without looking at it and it > is > > safe. > > > > This does NOT provide complete security against "attacks". Lets say you > > added your company proxy IP, a colleague not working on this project > could > > get access to it as well. > > However it adds a lot of security for random attack attempts. > > > > .: Fabian > > > > > > -----Original Message----- > > From: [email protected] [mailto: > [EMAIL PROTECTED] > > On Behalf Of Ian P. Christian > > Sent: Freitag, 16. Mai 2008 14:30 > > To: [email protected] > > Subject: [symfony-devs] RFC - securing _dev files > > > > > > I want to hear from you all as to what you think the best method for > > securing the default _dev files - I will not suggset anythign now, as I > > want to present a blank slate. > > > > I will implement the solution we finally agree on. > > Thoes that want to help please let me know. > > > > > > > > > > > > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
