[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: is it ok to listen on a localhost port for tests during build time?

]] Serafeim Zanikolas 

| The service supports no authorisation/authentication and, as of now, has no
| way of limiting the size of inserted messages. Would it be acceptable if I
| were to patch the tests to accept connections only from the localhost?
| (implies a potential risk of a local user attack)

What are the implications of a user inserting a message?  Test failing
where it should succeed?  DoS causing the build to fail?  DoS causing
the disk to fill up?  Local root exploit?  If it's just the build
failing, I think it's fine.  If it becomes a root exploit, it's
certainly not.

| From a robustness perspective, I could patch the tests to try several
| different port numbers if the default (11400) is not available.

This might be good, yes.

Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to: