On 8/31/06, Jorge Godoy <[EMAIL PROTECTED]> wrote:
>
> "ltbarcly" <[EMAIL PROTECTED]> writes:
>
> > I would suggest that it not accept external connections by default, and
> > that it would scroll an obvious warning/error in the terminal where the
> > start script is run saying something like "****Attempt made to connect
> > to server from another computer, IP=xxx.xxx.xxx.yyy. By default this
> > attempt is rejected, however to enable remote viewing of this TG web
> > app uncomment the line X from your dev.cfg file.****
>
> So you're suggesting that it binds to localhost only to answer incoming
> requests and bind to all other addresses to register supposed connection
> attempts?
>
> > It is a wrong behavior to start serving pages by default. I know
> > apache does it depending on how it is installed, but generally security
> > should be on by default.
>
> I agree that the log message is wrong. It says:
>
> 2006-08-30 22:24:13,914 cherrypy.msg INFO HTTP: Serving HTTP on
> http://localhost:8080/
>
>
> But in fact it is listening on all addresses on port 8080:
>
> 22:25 jupiter:~ > LANG= netstat -ant | grep 8080
> tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
> 22:25 jupiter:~ >
>
>
> The log message should be clearer about the real situation, so either this is
> a bug in the software or in the log message.
>
> > Let's just hope there aren't ever any remote exploits in a default
> > install of TG, and this will be mostly a non-issue. (I'm pessimistic)
>
> Anyone exposing a development environment to the web is asking for troubles.
> Anyone putting up a production environment without carefully configuring it is
> asking for trouble as well.
>
> A default TG install just shows the "welcome to TG" page. If you changed it
> you should also have changed the configuration files.
>
>
> IMHO the message should be clearer about where CP is listening for
> connections. And the default production setup should be binding to all
> ports, since it is what makes more sense for deployment. For development I
> also like this behavior, but I don't have problems with CP binding only to
> localhost.
>
> --
> Jorge Godoy <[EMAIL PROTECTED]>
>
> >
>
I've opened a patch on making the log a little less missleading on the
cherrypy track.
--
cheers
elvelind grandin
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/turbogears
-~----------~----~----~----~------~----~------~--~---
