This repository was archived by the owner on Nov 27, 2020. It is now read-only.
Properly lock down app_dev.php #937
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently, web/app_dev.php in the symphony-standard package limits requests to those coming from CLI and unproxied localhost. This prevents an attacker to execute this file in a production environment. IPv4 localhost requests can come from 127.0.0.0/8, so the current check is actually a little bit too restrictive, but safe. IPv6 localhost requests come from ::1/128. The address fe80::1, however, is a link-local IPv6 address like any other. Anyone in the local network can take it and communicate with it. Therefore, it does not belong here.
|
Isn't |
|
@Pierstoval No, see the text in the commit and pull request description. The closest equivalent to |
|
👍 Should be merged in 2.3 |
|
👍 |
|
Thank you @phihag. |
fabpot
added a commit
that referenced
this pull request
Aug 18, 2016
This PR was submitted for the master branch but it was merged into the 2.7 branch instead (closes #937). Discussion ---------- Properly lock down app_dev.php Currently, web/app_dev.php in the symfony-standard package limits requests to those coming from CLI and unproxied localhost. This prevents an attacker to execute this file in a production environment. IPv4 localhost requests can come from 127.0.0.0/8, so the current check is actually a little bit too restrictive, but safe. IPv6 localhost requests come from ::1/128. The address fe80::1, however, is a link-local IPv6 address like any other. Anyone in the local network can take it and communicate with it. Therefore, it does not belong here. Commits ------- f63bbbf Properly lock down app_dev.php
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, web/app_dev.php in the symfony-standard package limits requests to those coming from CLI and unproxied localhost.
This prevents an attacker to execute this file in a production environment.
IPv4 localhost requests can come from 127.0.0.0/8, so the current check is actually a little bit too restrictive, but safe.
IPv6 localhost requests come from ::1/128.
The address fe80::1, however, is a link-local IPv6 address like any other. Anyone in the local network can take it and communicate with it. Therefore, it does not belong here.