Open jamie-pate opened 12 years ago
Yep, didn't implement much security as this is a power tool for smart developers who should know what they run :) Ease of use over security.
However, security could be improved by
I have coded the last two mechanism as optionals to the upcoming 1.0.2 script.
a simple key or password would probably be nice too. path checking will prevent most fishing, but if the fisherman can guess your development path, they could poison your code with all sorts of exploits.
I think password auth would be overkill for this tool, and I'm feeling too lazy to implement it now...
as I currently read server.py, this will write the file anywhere on the host machine? with the only security being that it's bound to localhost.
I have least added a regex match on the path
if re.match('^/path/to/chroot/jail',fpath)
a password might be nice too, otherwise anyone could just write a web app that fishes for this server and start writing stuff all over