if I may : +1 $_allows_ips = array( '127.0.0.1' );
if (!in_array($_SERVER['REMOTE_ADDR'], $_allows_ips)) On Fri, May 16, 2008 at 6:32 PM, Alistair Stead <[EMAIL PROTECTED]> wrote: > + 1 > > > 2008/5/16 Fabien POTENCIER <[EMAIL PROTECTED]>: >> >> I like the simplicity, the simple configurability, ... well everything. >> >> +1 for me >> >> Fabien >> >> -- >> Fabien Potencier >> Sensio CEO - symfony lead developer >> sensiolabs.com | symfony-project.com | aide-de-camp.org >> Tél: +33 1 40 99 80 80 >> >> >> Fabian Lange wrote: >> > Hi *, >> > Interesting that there are so many replies. >> > Ill reply to the initial posting, cause I feel that I can't agree on any >> > other. >> > >> > My proposal is: make symfony safe for people that don't know what they >> > are >> > doing. >> > I say that because: >> > http://www.google.de/search?q=inurl:frontend_dev.php >> > >> > I just assume that everything was deployed to the live system. >> > As this should work also for all servers it shouldn't be a .htaccess >> > based >> > solution. >> > >> > To follow my proposal, and make it really simple: >> > >> > Add to all non production controllers: >> > >> > <?php >> > //This prevents accidental access to non production frontends >> > if (!in_array($_SERVER['REMOTE_ADDR'], array('127.0.0.1'))) >> > { >> > echo('Your IP '.$_SERVER['REMOTE_ADDR'].' is not in set of allowed >> > IPs.'); >> > echo('Check '.__FILE__.' For more information. '); >> > die(); >> > } >> > ?> >> > >> > This is: >> > - easy: No config required. Works by default 100% secure. >> > - extensible: If devs want to keep it, its easy to understand where to >> > add >> > new ips. >> > - performant: Absolutely no impact on the production controller >> > (compared >> > with apache and filter rules) >> > - removable: remove those 7 lines and you have removed the whole >> > default >> > protection >> > - dummy safe: you can deploy it to server without looking at it and it >> > is >> > safe. >> > >> > This does NOT provide complete security against "attacks". Lets say you >> > added your company proxy IP, a colleague not working on this project >> > could >> > get access to it as well. >> > However it adds a lot of security for random attack attempts. >> > >> > .: Fabian >> > >> > >> > -----Original Message----- >> > From: [email protected] >> > [mailto:[EMAIL PROTECTED] >> > On Behalf Of Ian P. Christian >> > Sent: Freitag, 16. Mai 2008 14:30 >> > To: [email protected] >> > Subject: [symfony-devs] RFC - securing _dev files >> > >> > >> > I want to hear from you all as to what you think the best method for >> > securing the default _dev files - I will not suggset anythign now, as I >> > want to present a blank slate. >> > >> > I will implement the solution we finally agree on. >> > Thoes that want to help please let me know. >> > >> > >> > >> > >> > > >> > >> > >> >> >> > > > > > -- Thomas Rabaix Internet Consultant --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
