[EMAIL PROTECTED] wrote:
> Well, I'll give a more detailed advice... Oh and it's a -1 :
>
> I'm afraid that wanting a controller "secured out of the box" is an
> error.
>
> With a check based on IP you have the feeling of security, but this is
> a mistake as the IP is easy to change and fake.
>
If you can tell me how someone can do this easily (using TCP) outside of
an layer 2 network, then I'll take this point seriously.
The idea here is that we are just trying to make it so a developer can
not easily accidently deploy this server, or for people who develop on
public facing sites anyway (I often do this personally, unless there's
political reasons I can't).
I do agree that this might give a feeling of safety when really there
isn't one - however when it comes to security, there isn't one solution,
it's layers on top of layers - each layer adding it's own security, with
the hope to make a system more secure.
Having IP restrictions won't solve all problems, if someone's going to
go to the extent of signing up for the same shared host (yes, it really
does happen) - then they will potentially have limited read access to
files anyway (if the server is using mod_php, files need to be readable
by apache - this is easy to exploit to get DB details for example).
I like the idea of the IP restriction, or... how about this? (again,
I'm just putting ideas out there - I may or may not think this is a good
idea ;) )
<?php
// WARNING: before doing this ensure you read chapter X
// in the book which covers stratergies for securing your web app
die('you must enable this controller');
That couldn't be simpler - then in the manual (or snippets, wiki,
somewhere) there cuold be cut and paste solutions - like how to exclude
these files from rsync, svn, how to secure it using apache, how to limit
by IP, etc. etc.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
-~----------~----~----~----~------~----~------~--~---
