Hi Pascal, it was not the intention to hide symfony. The google search should prove one thing: people are deploying default generated front controllers.
If you are after a list of symfony powered applications: there is one on the wiki. Or search for sites setting a symfony cookie. The goal is simply in the default case to hide possibly sensitive information that shouldn't be visible for every wannabehacker. I had one comment line in my proposal, which of course could be made better to describe the purpose of the IP check. If you have issues with it and want to remove it you most likely will think of another solution, or you take the conscious decision to make the url open for everybody how can guess it. .: Fabian -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sonntag, 18. Mai 2008 17:14 To: symfony developers Subject: [symfony-devs] Re: RFC - securing _dev files -1 - http://www.google.de/search?q=inurl:frontend_dev.php can still be used to retrieve websites running on symfony - you just add another method : http://www.google.de/search?q="Check For more information is not in set of allowed IPs" - it's nice on dev server running on dev's host but on prod server, it can be really annoying for ppl without static ip, so they will comment out ? [MA]Pascal On 16 mai, 15:48, "Fabian Lange" <[EMAIL PROTECTED]> wrote: > Hi *, > Interesting that there are so many replies. > Ill reply to the initial posting, cause I feel that I can't agree on any > other. > > My proposal is: make symfony safe for people that don't know what they are > doing. > I say that because: > http://www.google.de/search?q=inurl:frontend_dev.php > > I just assume that everything was deployed to the live system. > As this should work also for all servers it shouldn't be a .htaccess based > solution. > > To follow my proposal, and make it really simple: > > Add to all non production controllers: > > <?php > //This prevents accidental access to non production frontends > if (!in_array($_SERVER['REMOTE_ADDR'], array('127.0.0.1'))) > { > echo('Your IP '.$_SERVER['REMOTE_ADDR'].' is not in set of allowed IPs.'); > echo('Check '.__FILE__.' For more information. '); > die();} > > ?> > > This is: > - easy: No config required. Works by default 100% secure. > - extensible: If devs want to keep it, its easy to understand where to add > new ips. > - performant: Absolutely no impact on the production controller (compared > with apache and filter rules) > - removable: remove those 7 lines and you have removed the whole default > protection > - dummy safe: you can deploy it to server without looking at it and it is > safe. > > This does NOT provide complete security against "attacks". Lets say you > added your company proxy IP, a colleague not working on this project could > get access to it as well. > However it adds a lot of security for random attack attempts. > > .: Fabian > > -----Original Message----- > From: [email protected] [mailto:[EMAIL PROTECTED] > > On Behalf Of Ian P. Christian > Sent: Freitag, 16. Mai 2008 14:30 > To: [email protected] > Subject: [symfony-devs] RFC - securing _dev files > > I want to hear from you all as to what you think the best method for > securing the default _dev files - I will not suggset anythign now, as I > want to present a blank slate. > > I will implement the solution we finally agree on. > Thoes that want to help please let me know. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
