opened app_dev.php in oro/platform-application

This topic contains 4 replies, has 4 voices, and was last updated by msulima 6 years, 2 months ago.

Starting from March 1, 2020 the forum has been switched to the read-only mode. Please head to StackOverflow for support.

Creator
Topic
January 30, 2018 at 8:59 am #35540

gkozinski
Participant
Hello,
someone commented lines securing app_dev.php from opening by other than local hosts. I think this is not a good idea to leave it that way. Unfortunately, reporting of issues are disabled in this repository on github, that’s why i report it here.
https://github.com/oroinc/platform-application/blob/master/web/app_dev.php
It was introduced here https://github.com/oroinc/platform-application/commit/019f0143bc362d50101e8939e1c16d7ed123d8ab, with commit message “Frontend fixes”. Is there any reasonable justification for this change?
Thanks
Creator
Topic

Viewing 4 replies - 1 through 4 (of 4 total)

Author
Replies
February 2, 2018 at 8:39 am #35541

igalayev
Participant
Hi, what is your concern?
It is recommended to not deploy app_dev.php in your production environment.
So it shouldn’t be an issue.
Thanks.
February 2, 2018 at 11:57 am #35542

Michael
Keymaster
Generally the *-application repositories should be treated as sample applications with some defaults, that must be reviewed by the developers working on an actual project implementation.
It used to be the case that most developers would install the application locally, and access the app_dev.php from localhost. But nowadays with wide-spread containerization, Docker, Vagrant, etc. – it’s more often than not, that the application is not accessed from 127.0.0.1 anymore.
And alternatively, instead of starting with our sample application as base, a developer can always add oro platform package to their own Symfony application template they have configured to their own taste.
February 5, 2018 at 2:38 pm #35543

gkozinski
Participant
Hello,
Sory for the late answer. I thought that I would receive an email notification of new messages in the thread.
I understend your point of view. Yes, we can exclude this file from deploy. And I understend that for docker we have to open access for non localhost. However in clean symfony installation this file is default secured and i think there is reason for that. ORO is based on symfony, so developers which are new in ORO may expect that it would be the same after oro installation. Please note that in ORO documentation, installation based on oro/platform-application is the default one. Additionaly there is scenario when oro is install with other bundles as “ready to use” application. So there is the risk that some inexperienced developer install unsecured app_dev.php in production environment and life shows that such cases are not rare.
Maybe I’m too fussy but I was a little bit surprised when I saw it.
Regards
February 14, 2018 at 6:54 am #35544

msulima
Moderator
Hello, gkozinski.
I’ll push it up for discussion. I don’t know, maybe some note in article https://oroinc.com/b2b-ecommerce/doc/current/install-upgrade/post-install-steps can solve this problem. What do you think?
Check our free technical guide ”How to Build a Reliable and Secure Infrastructure for OroCommerce”.
Author
Replies

Viewing 4 replies - 1 through 4 (of 4 total)

The forum ‘OroPlatform – Security’ is closed to new topics and replies.

OroPlatform Forums