Ticket #483 (closed defect: fixed)

Opened 12 months ago

Last modified 12 months ago

Change development.ini to listen only on localhost

Reported by: sluggo Owned by: bbangert
Priority: normal Milestone: 0.9.7
Component: configuration Version: 0.9.7
Severity: blocker Keywords:
Cc:

Description

The default development.ini listens on all interfaces yet has debug=true. This is a security hole for newbies whose workstations are not behind a firewall.

I suggest changing the default development.ini to host=127.0.0.1. That's sufficient for the majority of developers. Those who need to share their unfinished app on an intranet or the Internet can change it, but there should be a warning next to the host= variable about the consequences.

The debug warning says "production environment" but it should really say any network with untrusted users (Internet or intranet). If there is a need to share a development app on an untrusted network, it should have basic authentication and SSL in front of it.

Change History

comment:1 Changed 12 months ago by sluggo

Ticket is based on this mailing list discussion: http://groups.google.com/group/pylons-discuss/browse_thread/thread/9eda26d355e949a5

comment:2 Changed 12 months ago by bbangert

  • status changed from new to closed
  • resolution set to fixed

Fixed in rceae59fcb945

comment:3 Changed 12 months ago by bbangert

  • milestone set to 0.9.7
Note: See TracTickets for help on using tickets.

Powered by Pylons - Contact Administrators