[dancer-users] Public web server by default is insecure

[Warren Young]

On Mar 16, 2015, at 11:58 PM, Gabor Szabo <gabor at szabgab.com> wrote:
> 
> 1) A long time ago when I was teaching at a company and told people to install some CPAN module, during installation it wanted to open a port on their computer to run the test. Some of the students were were surprised / shocked on the security implications.

Network I/O in a CPAN test is indeed a bit questionable.

I don’t really see how that has anything to do with Dancer, though.  If you go and install a web app server framework, generate a web app with the dancer/dancer2 tool, and then *run it by hand*, you are somehow surprised to find that it is serving a web app?!  It’s called the “Web” because it connects all computers running web servers; you can’t do that by listening for connections only on localhost.

I suspect if you did a survey of all the vast number of web app frameworks, that most of them listen on 0.0.0.0.  All of those that run under Apache and IIS do, for a start.

What threat model are you actually working with here?  Is it something deeper than just a knee-jerk reaction to an open TCP listener?  I mean, what can a default dancer app actually *do* that worries you?  Even if you go and run it at the root of your filesystem *as root*, it can’t do anything dangerous like serve up etc/shadow, because it only serves files from its views and public subdirs.

> Actually I think I know what I'd like, regardless the defaults: I'd like the default configuration files to contain commented out entries for every (or every important) parameter with short explanation and/or with link to the longer explanation.

So you want roadblocks.  You want the dancer helper app to generate an app that won’t run at all until you go in and hack on some configuration files.  Do I have that right?