Since this is not a vulnerability, can Examples be simply disabled?
On Tuesday, March 15, 2016 at 10:43:24 AM UTC-6, Massimo Di Pierro wrote:
>
> An important security issue has come up.
>
> If you use web2py in production with the rocket web server (which you
> should not anyway):
> 1) delete the "examples" app
> 2) make sure you pages do not expose the {{=response.toolbar}}
>
> Please follow the above guidelines because exposing internal system status
> may help attackers gain confidential information about your system.
> The web2py in trunk will prevent the information leakage by default but
> removing "examples" is the safest way.
>
> If you use nginx or apache or other wsgi server there is no problem but
> you may still want to follow the above rules in production.
>
> Massimo
>
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
