[dancer-users] Public web server by default is insecure

Gabor Szabo gabor at szabgab.com
Wed Mar 18 18:11:57 GMT 2015


On Wed, Mar 18, 2015 at 7:40 PM, Warren Young <wyml at etr-usa.com> wrote:

> On Mar 18, 2015, at 9:07 AM, Yitzchak Scott-Thoennes <sthoenna at gmail.com>
> wrote:
> >
> > On Wed, Mar 18, 2015 at 7:55 AM, Warren Young <wyml at etr-usa.com> wrote:
> >> On Mar 16, 2015, at 11:58 PM, Gabor Szabo <gabor at szabgab.com> wrote:
> >>> Actually I think I know what I'd like, regardless the defaults: I'd
> like the default configuration files to contain commented out entries for
> every (or every important) parameter with short explanation and/or with
> link to the longer explanation.
> >>
> >> So you want roadblocks.  You want the dancer helper app to generate an
> app that won’t run at all until you go in and hack on some configuration
> files.  Do I have that right?
> >
> > No, you don't.  Read it again?
>
> Yes, I know what it says.  I also know what he asked for originally, and
> what the title of this thread is.
>
> I don’t see how it makes Dancer more secure to point users to the docs
> from a configuration file when those docs are already present.  The only
> way a configuration file change can make Dancer more secure is to either
> bind to localhost, or turn off the listener entirely, in order to force
> users to RTFM before they can get a new Dancer app to do what they almost
> certainly actually want.
>
> Regardless, the claim that Dancer is “insecure” by default has yet to be
> demonstrated.  Show me an attack on a default Dancer app, and we can talk
> about it.  Simply pointing out that it listens on a public IP is not a
> demonstration of insecurity.
>
>
The title of this message probably should have been a question or phrased
in some other way, but the suggestion to have commented out configuration
options? How would these entries in the configuration file constitute a
roadblock?

# Enable the following line to limit the server to only listen to localhost:
# server: "127.0.0.1"

# Enable the following line to turn on file-based session management:
# session: "YAML"


Gabor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.preshweb.co.uk/pipermail/dancer-users/attachments/20150318/dc4d4ab7/attachment.html>


More information about the dancer-users mailing list