Hello, Okay, I have applied a patch to 1.1: http://trac.symfony-project.com/changeset/9489 Thanks Thomas for the basename hint, i overlooked this (dunno why)
I still think its not perfect but should help quite a lot and should also really easy to fix for those which feel bothered by it. Only side note here: it will make upgrade to 1.2 harder if front controllers shall be modified again .: Fabian On Sat, Jun 7, 2008 at 11:32 AM, Ian P. Christian <[EMAIL PROTECTED]> wrote: > > Fabian Lange wrote: > > Hello, > > I put a proposed patch to > > http://trac.symfony-project.com/attachment/ticket/2352/secure_dev.patch > > but there are some issues that remain: > > a) Do we change this in 1.0 (proposal: no) > Agreed. > > b) Do we update the controllers on upgrade (proposal: no) > Agreed. > > c) Where in the documentation should we talk about it? > Chapter 3 > > d) Could putting more into the controller be a problem? What about > > later upgrades. Kris already said that we should not allow much > > editing in the files. > > e) Where is the generate:controller task. Is the absence intended? > > f) is a die without ipcheck a possible better solution? > Hmm.. maybe - Whatever we put there, I personally think there should be > a line that links to a wiki page about securing your dev controller - > which has a whole load of snippets for doing it on various web servers. > If we have a die() there by default - maybe we shouldn't create a _dev > at all by default? Perhaps a generaet:controller task is better... > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
