[mythtv] MythWeb
Paul Gardiner
lists at glidos.net
Thu Jan 30 07:00:53 UTC 2014
On 30 January 2014 06:30:19 GMT, Jean-Yves Avenard <jyavenard at gmail.com> wrote:
>Hi
>
>On Thursday, January 30, 2014, Paul Gardiner <lists at glidos.net> wrote:
>
>> On 29 January 2014 19:06:22 GMT, Gary Buhrmaster <
>> gary.buhrmaster at gmail.com <javascript:;>> wrote:
>> >On Wed, Jan 29, 2014 at 6:55 PM, Jay Ashworth
><jra at baylink.com<javascript:;>>
>> wrote:
>> >....
>> >> Does Myth *really* want to assume responsibility for public web
>> >security?
>> >
>> >Nope, and neither should the existing MythWeb PHP functions
>> >(if you search carefully, you can find people who put MythWeb
>> >on the 'net; you could delete all their recordings, and remove
>> >all their rules, should one be appropriately so evilly inclined).
>>
>> I don't think that was the point Jay was making. If you take over
>port 80,
>> then bugs can possibly open up a way to run arbitrary code on the
>server
>> (albeit as mythbackend user). It's far worse than just the loss of
>some
>> recordings. I'm now starting to wonder whether this new approach is a
>bad
>> idea.
>>
>> I get the wish to avoid rewriting existing cpp code in php, but why
>not
>> provide php veneers over the existing cpp. And surely the new way
>means
>> providing our own versions of parts of apache.
>>
>>
>Why would you need to take over port 80?
I said just said "take over port 80" to match the previous post. I think which port you use is irrelevant. Which ever you use, most users will want it open to the internet, and you are processing raw http requests from potential attackers.
More information about the mythtv-dev
mailing list