-1 - http://www.google.de/search?q=inurl:frontend_dev.php can still be used to retrieve websites running on symfony - you just add another method : http://www.google.de/search?q="Check For more information is not in set of allowed IPs" - it's nice on dev server running on dev's host but on prod server, it can be really annoying for ppl without static ip, so they will comment out ?
[MA]Pascal On 16 mai, 15:48, "Fabian Lange" <[EMAIL PROTECTED]> wrote: > Hi *, > Interesting that there are so many replies. > Ill reply to the initial posting, cause I feel that I can't agree on any > other. > > My proposal is: make symfony safe for people that don't know what they are > doing. > I say that because: > http://www.google.de/search?q=inurl:frontend_dev.php > > I just assume that everything was deployed to the live system. > As this should work also for all servers it shouldn't be a .htaccess based > solution. > > To follow my proposal, and make it really simple: > > Add to all non production controllers: > > <?php > //This prevents accidental access to non production frontends > if (!in_array($_SERVER['REMOTE_ADDR'], array('127.0.0.1'))) > { > echo('Your IP '.$_SERVER['REMOTE_ADDR'].' is not in set of allowed IPs.'); > echo('Check '.__FILE__.' For more information. '); > die();} > > ?> > > This is: > - easy: No config required. Works by default 100% secure. > - extensible: If devs want to keep it, its easy to understand where to add > new ips. > - performant: Absolutely no impact on the production controller (compared > with apache and filter rules) > - removable: remove those 7 lines and you have removed the whole default > protection > - dummy safe: you can deploy it to server without looking at it and it is > safe. > > This does NOT provide complete security against "attacks". Lets say you > added your company proxy IP, a colleague not working on this project could > get access to it as well. > However it adds a lot of security for random attack attempts. > > .: Fabian > > -----Original Message----- > From: [email protected] [mailto:[EMAIL PROTECTED] > > On Behalf Of Ian P. Christian > Sent: Freitag, 16. Mai 2008 14:30 > To: [email protected] > Subject: [symfony-devs] RFC - securing _dev files > > I want to hear from you all as to what you think the best method for > securing the default _dev files - I will not suggset anythign now, as I > want to present a blank slate. > > I will implement the solution we finally agree on. > Thoes that want to help please let me know. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
