On further contemplation, I realize that the window of opportunity is relatively small and straightforward to fix per each distribution once the problem is noticed, so I'm not too worried about it... But thanks for the fast and informative replies!
On Jul 13, 2:19 am, "Mike Orr" <[EMAIL PROTECTED]> wrote: > On Sat, Jul 12, 2008 at 10:55 PM, Ben Bangert <[EMAIL PROTECTED]> wrote: > > On Jul 12, 2008, at 9:34 PM, Nick wrote: > > >> I'll start by saying that I could very well be wrong about this, but > >> this looks like a security problem to me. In the standard > >> development.ini file for every paster project (Pylons 0.96, paste > >> 1.7.1) , the host and debug are set as: > >> host = 0.0.0.0 > > It's in the bugtracker as #483, which also has a link to the other > mailing list thread. > > http://pylonshq.com/project/pylonshq/ticket/483 > > > I believe this has been raised before, and we are looking at changing that > > to 127.0.0.1. Though I recall there being some issue on some platforms with > > it not working right at 127.0.0.1, as we previously had it there, then > > changed it to 0.0.0.0. > > According to the Pylons changelog: > > Pylons 0.9.2: "Updated default ini file to use localhost from > address. Refs #104" > > That sounds like it was changed to localhost from something else. But > the changeset in the bug report doesn't seem to alter development.ini > at all, so this may be unrelated. > > Searched for "127", "localhost", "development", and "ini" in > changelog but couldn't find anything else. > > The problem with "localhost" is some systems don't have a "localhost > -> 127.0.0.1" mapping by default. I can't remember if it was a > Macintosh server or a Windows system I saw that on. > > 127.0.0.1 wouldn't work if the loopback interface is not configured, > but I doubt if we want to go that far in accommodating broken systems, > especially considering the larger security risk of 0.0.0.0. > > I tried taking 127.0.0.1 down on Linux to see what it would do, and > the application starts fine but but the browser hangs. I guess that > means it's going through the default route instead. > > -- > Mike Orr <[EMAIL PROTECTED]> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to pylons-discuss@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
