On Jul 12, 2008, at 9:34 PM, Nick wrote:
I'll start by saying that I could very well be wrong about this, but this looks like a security problem to me. In the standard development.ini file for every paster project (Pylons 0.96, paste 1.7.1) , the host and debug are set as: host = 0.0.0.0 # WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT* # Debug mode will enable the interactive debugging tool, allowing ANYONE to # execute malicious code after an exception is raised. #set debug = falseThis seems odd to me. Debug mode allows ANYONE to execute malicious code, yet connections are accepted from ANYONE by default in debug mode. Shouldn't host only accept connections from the localhost by default considering how debug allows arbitrary code execution? If I'm wrong, I'm very sorry for raising alarm bells (could someone please enlighten me as to why this isn't a problem?), but if I'm not, shouldn't this be changed?
I believe this has been raised before, and we are looking at changing that to 127.0.0.1. Though I recall there being some issue on some platforms with it not working right at 127.0.0.1, as we previously had it there, then changed it to 0.0.0.0.
Cheers, Ben
smime.p7s
Description: S/MIME cryptographic signature
