Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connection must originate on localhost #20

Closed
JKingsnorth opened this issue Mar 12, 2015 · 3 comments
Closed

Connection must originate on localhost #20

JKingsnorth opened this issue Mar 12, 2015 · 3 comments

Comments

@JKingsnorth
Copy link

When I run 'amp test' I receive the error in the title.

It seems that this is because the script is checking the REMOTE_ADDR for 'localhost'. Expect because the request is coming from the command line the REMOTE_ADDR is not being set?

Unless there is something else that might be causing the 403 response at this point.

Any help debugging this would be great. Thanks.
@totten
Copy link
Collaborator

totten commented Mar 13, 2015

OK, so it looks like we're talking about canary.php -- which is generated by TestCommand and installed on the test site as part of an end-to-end test:

https://github.com/totten/amp/blob/30aaa0f94/src/Amp/Command/TestCommand.php#L103
https://github.com/totten/amp/blob/30aaa0f94/src/Amp/views/canary.php#L6

The script does some incautious things -- e.g. it accepts a MySQL DSN from $_POST and connects to it -- and that could be abused (e.g to launch DoS) if some bug or accident caused the file to show up on a public httpd. So the script includes the localhost check to prevent abuse by third-parties.

We could change the mechanism for passing DSN (e.g. pass it the same way we pass $dataDir or $autoloader)... Do you think the script would be secure enough that it would be OK if (through bug or accident) it got exposed on a public URL? If so, we could remove the REMOTE_ADDR check entirely.

Aside: I'm kind of curious what use-case you have in which REMOTE_ADDR is not localhost...

@JKingsnorth
Copy link
Author

Hi totten. Sorry, I may have misidentified the issue. I'm done some more testing this morning and I'm getting an access denied even before it manages to get into the script, so I expect this is a boreader permissions issue on my server.

The REMOTE_ADDR is only set if you're accessing from localhost, but not using the command line. Since I was debugging the file using the command line, the REMOTE_ADDR wasn't set, so it was hitting this error. That sent me off course a bit.

Thanks for the comments though. I think the localhost check should probably stay in place for security, as you mention.

@JKingsnorth
Copy link
Author

Silly me, I was trying to include the file before the <Directory />, and there were permissions to fix up as well. Sorry for the false alarm totten, but thanks for the help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@totten @JKingsnorth