[dancer-users] Public web server by default is insecure
gabor at szabgab.com
Wed Mar 18 18:11:57 GMT 2015
On Wed, Mar 18, 2015 at 7:40 PM, Warren Young <wyml at etr-usa.com> wrote:
> On Mar 18, 2015, at 9:07 AM, Yitzchak Scott-Thoennes <sthoenna at gmail.com>
> > On Wed, Mar 18, 2015 at 7:55 AM, Warren Young <wyml at etr-usa.com> wrote:
> >> On Mar 16, 2015, at 11:58 PM, Gabor Szabo <gabor at szabgab.com> wrote:
> >>> Actually I think I know what I'd like, regardless the defaults: I'd
> like the default configuration files to contain commented out entries for
> every (or every important) parameter with short explanation and/or with
> link to the longer explanation.
> >> So you want roadblocks. You want the dancer helper app to generate an
> app that won’t run at all until you go in and hack on some configuration
> files. Do I have that right?
> > No, you don't. Read it again?
> Yes, I know what it says. I also know what he asked for originally, and
> what the title of this thread is.
> I don’t see how it makes Dancer more secure to point users to the docs
> from a configuration file when those docs are already present. The only
> way a configuration file change can make Dancer more secure is to either
> bind to localhost, or turn off the listener entirely, in order to force
> users to RTFM before they can get a new Dancer app to do what they almost
> certainly actually want.
> Regardless, the claim that Dancer is “insecure” by default has yet to be
> demonstrated. Show me an attack on a default Dancer app, and we can talk
> about it. Simply pointing out that it listens on a public IP is not a
> demonstration of insecurity.
The title of this message probably should have been a question or phrased
in some other way, but the suggestion to have commented out configuration
options? How would these entries in the configuration file constitute a
# Enable the following line to limit the server to only listen to localhost:
# server: "127.0.0.1"
# Enable the following line to turn on file-based session management:
# session: "YAML"
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dancer-users