[Phpmyadmin-devel] AllowArbitraryServer and synchronisation

Isaac Bennetch bennetch at gmail.com
Mon Jan 31 18:01:13 CET 2011


Hi,

On 1/28/2011 11:33 AM, Marc Delisle wrote:
> Michal Čihař a écrit :
>> Hi all
>>
>> for security reasons we have chosen AllowArbitraryServer to be disabled
>> by default. On the other side we have synchronization feature which
>> allows to connect to arbitrary server as well and fetch any data from
>> it.
>>
>> I think this disproportion should be fixed. I can see two approaches:
>>
>> 1. The other option would be to drop AllowArbitraryServer completely as
>> right now it really does not bring any security.
>
> I'm not in favor.
>>
>> 2. Make AllowArbitraryServer really work as expected:
>> - Make AllowArbitraryServer enabled by default. I don't think the risk
>>    is too big and many people would use this feature.
>
> I'm also not in favor, because of the increased risk. By doing so by
> default we open the door to access (or try to access) any MySQL server
> reachable by this web server.
>
> I also don't like the extra "Server" question that this would bring.
>
>> - If AllowArbitraryServer is set to false, disallow synchronization
>>    with arbitrary server as well.
>
> I am in favor of this suggestion.
>
>>
>> But maybe I'm missing some other possibility. Comments?

I agree. Sounds good to me.




More information about the Developers mailing list