Comments on: A note about Symfony security faults http://www.symfonylab.com/a-note-about-symfony-security-faults/ Everything you wanted to know about Symfony framework but did not know who to ask! Fri, 05 Sep 2008 22:43:39 +0000 http://wordpress.org/?v=2.6.1 By: Piskvor http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-355 Piskvor Mon, 21 Apr 2008 11:46:15 +0000 http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-355 Oops, entity filtering ate my post robots: <?php echo((SF_ENVIRONMENT == 'dev') ? 'noindex, nofollow' : 'index,follow'); ?> Oops, entity filtering ate my post
robots: <?php echo((SF_ENVIRONMENT == ‘dev’) ? ‘noindex, nofollow’ : ‘index,follow’); ?>

]]> By: Piskvor http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-354 Piskvor Mon, 21 Apr 2008 11:44:49 +0000 http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-354 Also, for the site being spidered by Google: there are META robots tags in default view set to "index, follow." In case I would accidentaly get my _dev front controller to the test site (God forbid!), I have made a change in my app's view.yml - therefore, polite robots won't index my dev page. It's not a security measure except by obscurity, but better than to have a vulnerability automatically indexed, no? Here's the change: robots: Also, for the site being spidered by Google: there are META robots tags in default view set to “index, follow.”

In case I would accidentaly get my _dev front controller to the test site (God forbid!), I have made a change in my app’s view.yml - therefore, polite robots won’t index my dev page. It’s not a security measure except by obscurity, but better than to have a vulnerability automatically indexed, no?

Here’s the change:
robots:

]]> By: Symfony.es » Blog Archive » Una semana con Symfony #28 (12-20 enero 2008) http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-256 Symfony.es » Blog Archive » Una semana con Symfony #28 (12-20 enero 2008) Sun, 03 Feb 2008 11:04:48 +0000 http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-256 [...] A note about Symfony security faults [...] [...] A note about Symfony security faults [...]

]]> By: Lukas http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-244 Lukas Mon, 21 Jan 2008 10:02:48 +0000 http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-244 The risk of _dev.php files making it into deployment was a major concern for me from day one. Frameworks should make it hard to fail. Languages should make it hard to fail. PHP does this and symfony for the most part as well. The good news there is a fix: http://trac.symfony-project.com/wiki/SecuringDevFrontend My preferred method "Adapt url/asset helper url generation" will become even easier in symfony 1.1 The risk of _dev.php files making it into deployment was a major concern for me from day one. Frameworks should make it hard to fail. Languages should make it hard to fail. PHP does this and symfony for the most part as well.

The good news there is a fix:
http://trac.symfony-project.com/wiki/SecuringDevFrontend

My preferred method “Adapt url/asset helper url generation” will become even easier in symfony 1.1

]]> By: rpsblog.com » A week of symfony #55 (14-&gt;20 january 2007) http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-243 rpsblog.com » A week of symfony #55 (14-&gt;20 january 2007) Sun, 20 Jan 2008 23:00:33 +0000 http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-243 [...] A note about Symfony security faults [...] [...] A note about Symfony security faults [...]

]]> By: Youpi http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-240 Youpi Sat, 19 Jan 2008 09:29:27 +0000 http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-240 What's unfair is to publish the urls where the dev front controllers are publicly available. this is a major security hole as it shows db queries, server env vars and so on. You encourage exploits attempts and script kiddies challenges. That's unfair, IMHO. What’s unfair is to publish the urls where the dev front controllers are publicly available. this is a major security hole as it shows db queries, server env vars and so on.

You encourage exploits attempts and script kiddies challenges. That’s unfair, IMHO.

]]> By: Teal http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-239 Teal Sat, 19 Jan 2008 08:19:55 +0000 http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-239 It looks like 3 of 4 your examples is made by same person. At least they are on same host. Anyway good points which hopelly are obvious most of us... It looks like 3 of 4 your examples is made by same person. At least they are on same host.

Anyway good points which hopelly are obvious most of us…

]]> By: stefan http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-238 stefan Fri, 18 Jan 2008 21:51:01 +0000 http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-238 I actually fell for the _dev problem as well. And actually, I still forgot to add it to the rsync_exclude list. need to do that. I actually fell for the _dev problem as well. And actually, I still forgot to add it to the rsync_exclude list. need to do that.

]]> By: admin http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-237 admin Fri, 18 Jan 2008 17:54:03 +0000 http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-237 What exactly is not fair? What exactly is not fair?

]]> By: Youpi http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-236 Youpi Fri, 18 Jan 2008 17:42:21 +0000 http://www.symfonylab.com/a-note-about-symfony-security-faults/#comment-236 Right, very. But that's not fair with people having the problems you describe. Right, very. But that’s not fair with people having the problems you describe.

]]>