OroPlatform Forums

Covering OroPlatform topics, including community updates and company announcements.

Forums OroPlatform OroPlatform – Security opened app_dev.php in oro/platform-application

This topic contains 4 replies, has 4 voices, and was last updated by msulima msulima 1 year, 9 months ago.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Author
    Replies
  • #35541

    igalayev
    Participant

    Hi, what is your concern?
    It is recommended to not deploy app_dev.php in your production environment.
    So it shouldn’t be an issue.
    Thanks.

    #35542
    Michael
    Michael
    Keymaster

    Generally the *-application repositories should be treated as sample applications with some defaults, that must be reviewed by the developers working on an actual project implementation.

    It used to be the case that most developers would install the application locally, and access the app_dev.php from localhost. But nowadays with wide-spread containerization, Docker, Vagrant, etc. – it’s more often than not, that the application is not accessed from 127.0.0.1 anymore.

    And alternatively, instead of starting with our sample application as base, a developer can always add oro platform package to their own Symfony application template they have configured to their own taste.

    #35543

    gkozinski
    Participant

    Hello,

    Sory for the late answer. I thought that I would receive an email notification of new messages in the thread.

    I understend your point of view. Yes, we can exclude this file from deploy. And I understend that for docker we have to open access for non localhost. However in clean symfony installation this file is default secured and i think there is reason for that. ORO is based on symfony, so developers which are new in ORO may expect that it would be the same after oro installation. Please note that in ORO documentation, installation based on oro/platform-application is the default one. Additionaly there is scenario when oro is install with other bundles as “ready to use” application. So there is the risk that some inexperienced developer install unsecured app_dev.php in production environment and life shows that such cases are not rare.

    Maybe I’m too fussy but I was a little bit surprised when I saw it.

    Regards

    #35544
    msulima
    msulima
    Moderator

    Hello, gkozinski.

    I’ll push it up for discussion. I don’t know, maybe some note in article https://oroinc.com/b2b-ecommerce/doc/current/install-upgrade/post-install-steps can solve this problem. What do you think?


Viewing 4 replies - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

You will be redirected to [title]. Would you like to continue?

Yes No