[dancer-users] Public web server by default is insecure
Juan José 'Peco' San Martín
jsanmartin at gmail.com
Wed Mar 18 15:06:22 GMT 2015
In short:
Maybe just adding options to *"dancer2 gen*" is the way. When creating an
app, then have the possibility to define these type of parameters.
Peco
2015-03-18 15:55 GMT+01:00 Warren Young <wyml at etr-usa.com>:
> On Mar 16, 2015, at 11:58 PM, Gabor Szabo <gabor at szabgab.com> wrote:
> >
> > 1) A long time ago when I was teaching at a company and told people to
> install some CPAN module, during installation it wanted to open a port on
> their computer to run the test. Some of the students were were surprised /
> shocked on the security implications.
>
> Network I/O in a CPAN test is indeed a bit questionable.
>
> I don’t really see how that has anything to do with Dancer, though. If
> you go and install a web app server framework, generate a web app with the
> dancer/dancer2 tool, and then *run it by hand*, you are somehow surprised
> to find that it is serving a web app?! It’s called the “Web” because it
> connects all computers running web servers; you can’t do that by listening
> for connections only on localhost.
>
> I suspect if you did a survey of all the vast number of web app
> frameworks, that most of them listen on 0.0.0.0. All of those that run
> under Apache and IIS do, for a start.
>
> What threat model are you actually working with here? Is it something
> deeper than just a knee-jerk reaction to an open TCP listener? I mean,
> what can a default dancer app actually *do* that worries you? Even if you
> go and run it at the root of your filesystem *as root*, it can’t do
> anything dangerous like serve up etc/shadow, because it only serves files
> from its views and public subdirs.
>
> > Actually I think I know what I'd like, regardless the defaults: I'd like
> the default configuration files to contain commented out entries for every
> (or every important) parameter with short explanation and/or with link to
> the longer explanation.
>
> So you want roadblocks. You want the dancer helper app to generate an app
> that won’t run at all until you go in and hack on some configuration
> files. Do I have that right?
> _______________________________________________
> dancer-users mailing list
> dancer-users at dancer.pm
> http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.preshweb.co.uk/pipermail/dancer-users/attachments/20150318/88cbf4f9/attachment.html>
More information about the dancer-users
mailing list