Ticket #483 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

Change development.ini to listen only on localhost

Reported by: sluggo Owned by: bbangert
Priority: normal Milestone: 0.9.7
Component: configuration Version: 0.9.7
Severity: blocker Keywords:
Cc:

Description

The default development.ini listens on all interfaces yet has debug=true. This is a security hole for newbies whose workstations are not behind a firewall.

I suggest changing the default development.ini to host=127.0.0.1. That's sufficient for the majority of developers. Those who need to share their unfinished app on an intranet or the Internet can change it, but there should be a warning next to the host= variable about the consequences.

The debug warning says "production environment" but it should really say any network with untrusted users (Internet or intranet). If there is a need to share a development app on an untrusted network, it should have basic authentication and SSL in front of it.

Change History

Changed 2 years ago by sluggo

Ticket is based on this mailing list discussion:  http://groups.google.com/group/pylons-discuss/browse_thread/thread/9eda26d355e949a5

Changed 2 years ago by bbangert

  • status changed from new to closed
  • resolution set to fixed

Fixed in rceae59fcb945

Changed 2 years ago by bbangert

  • milestone set to 0.9.7
Note: See TracTickets for help on using tickets.

Powered by Pylons - Contact Administrators