On Sat, 7 Aug 2010, Dustin wrote:
> > On Aug 7, 7:52 am, Loganaden Velvindron <logana...@gmail.com> wrote: > > There seems to be a problem when I pasted it in gmail. > > > > Here's a link to the git diff: > > > > http://devio.us/~loganaden/memcached.git.diff > > This makes some sense to me. That functionality is kind of a > plague. On one hand we've got people trying to use it for things it > doesn't do and on the other hand, we've got people who configure > memcached incorrectly and put themselves at risk. > I propose: 1.4.6 would come with a -D option or something which would disable cachedump, etc. possibly also stats sizes. 1.6.0 will have them disabled by default, with a different option for enabling them? Yeah people abuse the shit out of them and I was entertaining the idea of randomizing the names every release or removing it before, but I don't want to listen to the whining on both sides of the fence. Definitely don't think printing warnings will do much. Honestly we do warn you in the docs, it's clear that you never provide a username/password, and dozens of articles on "running memcached in the cloud" tell you to firewall the damn thing. What's funny is despite all this people still screw it up. Even if we make it harder to run debug commands that's only limiting the sort of damage you can do by a teeny bit. Then in six months some security geek will write something to run 'stats slabs/stats items' and bomb your weakest slabs with junk data until your site goes away. Or like, connect to it until it hits maxconns, or guess at common keys. Yawn.
