Re: is it ok to listen on a localhost port for tests during build time?
]] Serafeim Zanikolas
| The service supports no authorisation/authentication and, as of now, has no
| way of limiting the size of inserted messages. Would it be acceptable if I
| were to patch the tests to accept connections only from the localhost?
| (implies a potential risk of a local user attack)
What are the implications of a user inserting a message? Test failing
where it should succeed? DoS causing the build to fail? DoS causing
the disk to fill up? Local root exploit? If it's just the build
failing, I think it's fine. If it becomes a root exploit, it's
certainly not.
| From a robustness perspective, I could patch the tests to try several
| different port numbers if the default (11400) is not available.
This might be good, yes.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: