Bug #370
closedspawn-fcgi binds fcgis to *:port, which can be a security risk
Description
Hey weigon,
See: http://dev.rubyonrails.org/ticket/2874
I found that spawn-fcgi (used with the rails spawner) binds fcgis to 0.0.0.0:port which can be a security risk. I think by default they should be bound to the loopback interface: 127.0.0.1:port and if they are to bind to the external interface, an IP or some "all external IPs" wildcard should be allowed.
best,
_alex
-- root
Updated by Anonymous almost 19 years ago
I'd like to second this request. It would be great to have an option to spawn-fcgi that specified the IP it listened on. Would make sense to default to localhost, but for backwards compatability it would be fine to keep default as 0.0.0.0.
The key is that you be able to specify where it binds.
Probably unlikely that it would happen, but someone could point their lighttpd at remote ports, guessing that they might be waiting fcgi's, and occasionally be right.
-- mjankowski
Updated by Anonymous over 18 years ago
Starting from 1.4.11 sqawn-fcgi has the -a option allowing you the select a specific IP address.
-- zsombor
Updated by stbuehler over 16 years ago
- Status changed from New to Fixed
- Resolution set to fixed
Also available in: Atom