Hi all
for security reasons we have chosen AllowArbitraryServer to be disabled by default. On the other side we have synchronization feature which allows to connect to arbitrary server as well and fetch any data from it.
I think this disproportion should be fixed. I can see two approaches:
1. The other option would be to drop AllowArbitraryServer completely as right now it really does not bring any security.
2. Make AllowArbitraryServer really work as expected: - Make AllowArbitraryServer enabled by default. I don't think the risk is too big and many people would use this feature. - If AllowArbitraryServer is set to false, disallow synchronization with arbitrary server as well.
But maybe I'm missing some other possibility. Comments?
Michal Čihař a écrit :
Hi all
for security reasons we have chosen AllowArbitraryServer to be disabled by default. On the other side we have synchronization feature which allows to connect to arbitrary server as well and fetch any data from it.
I think this disproportion should be fixed. I can see two approaches:
- The other option would be to drop AllowArbitraryServer completely as
right now it really does not bring any security.
I'm not in favor.
- Make AllowArbitraryServer really work as expected:
- Make AllowArbitraryServer enabled by default. I don't think the risk is too big and many people would use this feature.
I'm also not in favor, because of the increased risk. By doing so by default we open the door to access (or try to access) any MySQL server reachable by this web server.
I also don't like the extra "Server" question that this would bring.
- If AllowArbitraryServer is set to false, disallow synchronization with arbitrary server as well.
I am in favor of this suggestion.
But maybe I'm missing some other possibility. Comments?
Hi
Dne Fri, 28 Jan 2011 11:33:32 -0500 Marc Delisle marc@infomarc.info napsal(a):
Michal Čihař a écrit :
Hi all
for security reasons we have chosen AllowArbitraryServer to be disabled by default. On the other side we have synchronization feature which allows to connect to arbitrary server as well and fetch any data from it.
I think this disproportion should be fixed. I can see two approaches:
- The other option would be to drop AllowArbitraryServer completely as
right now it really does not bring any security.
I'm not in favor.
- Make AllowArbitraryServer really work as expected:
- Make AllowArbitraryServer enabled by default. I don't think the risk is too big and many people would use this feature.
I'm also not in favor, because of the increased risk. By doing so by default we open the door to access (or try to access) any MySQL server reachable by this web server.
I also don't like the extra "Server" question that this would bring.
- If AllowArbitraryServer is set to false, disallow synchronization with arbitrary server as well.
I am in favor of this suggestion.
As there are no other comments to this, I've filed bug #3168733 [1] to track this problem.
[1]:https://sourceforge.net/tracker/?func=detail&aid=3168733&group_id=23...
Hi,
On 1/28/2011 11:33 AM, Marc Delisle wrote:
Michal Čihař a écrit :
Hi all
for security reasons we have chosen AllowArbitraryServer to be disabled by default. On the other side we have synchronization feature which allows to connect to arbitrary server as well and fetch any data from it.
I think this disproportion should be fixed. I can see two approaches:
- The other option would be to drop AllowArbitraryServer completely as
right now it really does not bring any security.
I'm not in favor.
- Make AllowArbitraryServer really work as expected:
- Make AllowArbitraryServer enabled by default. I don't think the risk is too big and many people would use this feature.
I'm also not in favor, because of the increased risk. By doing so by default we open the door to access (or try to access) any MySQL server reachable by this web server.
I also don't like the extra "Server" question that this would bring.
- If AllowArbitraryServer is set to false, disallow synchronization with arbitrary server as well.
I am in favor of this suggestion.
But maybe I'm missing some other possibility. Comments?
I agree. Sounds good to me.
-
Isaac Bennetch -
Marc Delisle -
Michal Čihař