spawn-fcgi binds fcgis to *:port, which can be a security risk
I found that spawn-fcgi (used with the rails spawner) binds fcgis to 0.0.0.0:port which can be a security risk. I think by default they should be bound to the loopback interface: 127.0.0.1:port and if they are to bind to the external interface, an IP or some "all external IPs" wildcard should be allowed.
Updated by Anonymous over 17 years ago
I'd like to second this request. It would be great to have an option to spawn-fcgi that specified the IP it listened on. Would make sense to default to localhost, but for backwards compatability it would be fine to keep default as 0.0.0.0.
The key is that you be able to specify where it binds.
Probably unlikely that it would happen, but someone could point their lighttpd at remote ports, guessing that they might be waiting fcgi's, and occasionally be right.
Updated by Anonymous almost 17 years ago
Starting from 1.4.11 sqawn-fcgi has the -a option allowing you the select a specific IP address.
Updated by stbuehler over 14 years ago
- Status changed from New to Fixed
- Resolution set to fixed
Also available in: Atom