OroPlatform Forums

Covering OroPlatform topics, including community updates and company announcements.

Forums Forums OroPlatform OroPlatform – Security opened app_dev.php in oro/platform-application

This topic contains 4 replies, has 4 voices, and was last updated by  msulima 4 years, 9 months ago.

Starting from March 1, 2020 the forum has been switched to the read-only mode. Please head to StackOverflow for support.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Author
  • #35541


    Hi, what is your concern?
    It is recommended to not deploy app_dev.php in your production environment.
    So it shouldn’t be an issue.



    Generally the *-application repositories should be treated as sample applications with some defaults, that must be reviewed by the developers working on an actual project implementation.

    It used to be the case that most developers would install the application locally, and access the app_dev.php from localhost. But nowadays with wide-spread containerization, Docker, Vagrant, etc. – it’s more often than not, that the application is not accessed from anymore.

    And alternatively, instead of starting with our sample application as base, a developer can always add oro platform package to their own Symfony application template they have configured to their own taste.




    Sory for the late answer. I thought that I would receive an email notification of new messages in the thread.

    I understend your point of view. Yes, we can exclude this file from deploy. And I understend that for docker we have to open access for non localhost. However in clean symfony installation this file is default secured and i think there is reason for that. ORO is based on symfony, so developers which are new in ORO may expect that it would be the same after oro installation. Please note that in ORO documentation, installation based on oro/platform-application is the default one. Additionaly there is scenario when oro is install with other bundles as “ready to use” application. So there is the risk that some inexperienced developer install unsecured app_dev.php in production environment and life shows that such cases are not rare.

    Maybe I’m too fussy but I was a little bit surprised when I saw it.




    Hello, gkozinski.

    I’ll push it up for discussion. I don’t know, maybe some note in article https://oroinc.com/b2b-ecommerce/doc/current/install-upgrade/post-install-steps can solve this problem. What do you think?

Viewing 4 replies - 1 through 4 (of 4 total)

The forum ‘OroPlatform – Security’ is closed to new topics and replies.

Back to top