[Phpmyadmin-devel] AllowArbitraryServer and synchronisation
Michal Čihař
michal at cihar.com
Mon Jan 31 16:19:49 CET 2011
Hi
Dne Fri, 28 Jan 2011 11:33:32 -0500
Marc Delisle <marc at infomarc.info> napsal(a):
> Michal Čihař a écrit :
> > Hi all
> >
> > for security reasons we have chosen AllowArbitraryServer to be disabled
> > by default. On the other side we have synchronization feature which
> > allows to connect to arbitrary server as well and fetch any data from
> > it.
> >
> > I think this disproportion should be fixed. I can see two approaches:
> >
> > 1. The other option would be to drop AllowArbitraryServer completely as
> > right now it really does not bring any security.
>
> I'm not in favor.
> >
> > 2. Make AllowArbitraryServer really work as expected:
> > - Make AllowArbitraryServer enabled by default. I don't think the risk
> > is too big and many people would use this feature.
>
> I'm also not in favor, because of the increased risk. By doing so by
> default we open the door to access (or try to access) any MySQL server
> reachable by this web server.
>
> I also don't like the extra "Server" question that this would bring.
>
> > - If AllowArbitraryServer is set to false, disallow synchronization
> > with arbitrary server as well.
>
> I am in favor of this suggestion.
As there are no other comments to this, I've filed bug #3168733 [1] to
track this problem.
[1]:https://sourceforge.net/tracker/?func=detail&aid=3168733&group_id=23067&atid=377408
--
Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20110131/a91889f3/attachment.sig>
More information about the Developers
mailing list