[dancer-users] Public web server by default is insecure

Warren Young wyml at etr-usa.com
Wed Mar 18 17:40:23 GMT 2015


On Mar 18, 2015, at 9:07 AM, Yitzchak Scott-Thoennes <sthoenna at gmail.com> wrote:
> 
> On Wed, Mar 18, 2015 at 7:55 AM, Warren Young <wyml at etr-usa.com> wrote:
>> On Mar 16, 2015, at 11:58 PM, Gabor Szabo <gabor at szabgab.com> wrote:
>>> Actually I think I know what I'd like, regardless the defaults: I'd like the default configuration files to contain commented out entries for every (or every important) parameter with short explanation and/or with link to the longer explanation.
>> 
>> So you want roadblocks.  You want the dancer helper app to generate an app that won’t run at all until you go in and hack on some configuration files.  Do I have that right?
> 
> No, you don't.  Read it again?

Yes, I know what it says.  I also know what he asked for originally, and what the title of this thread is.

I don’t see how it makes Dancer more secure to point users to the docs from a configuration file when those docs are already present.  The only way a configuration file change can make Dancer more secure is to either bind to localhost, or turn off the listener entirely, in order to force users to RTFM before they can get a new Dancer app to do what they almost certainly actually want.

Regardless, the claim that Dancer is “insecure” by default has yet to be demonstrated.  Show me an attack on a default Dancer app, and we can talk about it.  Simply pointing out that it listens on a public IP is not a demonstration of insecurity.


More information about the dancer-users mailing list