Comments (3)
daftspunk
commented on June 16, 2024
Hi @Hebing123
This is debug information. Turn off debug mode (APP_DEBUG=false) before testing further.
Please also review the security policy for important information about disclosure: https://github.com/octobercms/october/security/policy
Best regards
from docs.
Hebing123
commented on June 16, 2024
Hello @daftspunk ,
I don't agree with you.
The debug mode of Octobercms is enabled by default, which means it needs tobe manually disabled by the administrator. There is no question that if you do not turn off debug mode manually, you will create reflective XSS vulnerabilities.
For example, CVE-2021-3129, this vulnerability is occurring in Laravel Debug mode, Do you think it is harmless?? This is clearly unreasonable.
Laravel does not have Debug enabled by default, and Laravel in Octobercms has debug mode enabled by default.
I found many Octobercms production environments online with debug mode enabled.So this is a vulnerability worth fixing, it has some harm.
Repair method:
- Change the error output mode of Laravel and filter the string in the uri.
- The debug mode is disabled by default.
from docs.
daftspunk
commented on June 16, 2024
Hi @Hebing123
I've taken note of this.
The application default settings are based on Laravel.
In modern versions, there are several system warnings displayed in the admin panel when a system is not configured for production. There is a section dedicated to production configuration in the documentation.
Please follow the correct procedures in the future.
Thank you.
from docs.
Related Issues (20)
- Is it possible to make the custom validation messages a bit easier to find in the doc's HOT 8
- Correct and easy procedure to upgrade octobercms 1.0 to 1.1 HOT 1
- PHP version in public docs is incorrect but in setup-installation.md is ok HOT 2
- Blockquote advice in the Extending models section HOT 1
- Google asked me to add these things into the doc's
- Reorder HOT 2
- Add an example of implementation validation rules in a model extending HOT 2
- Emmet and autocomlete in October 2.*
- Add custom file name config information HOT 1
- When I was translating the document, I found a wording flaw HOT 1
- a slight deficiency HOT 1
- Link dead HOT 1
- File Attachments - attachMany - validation example - forceSave needed HOT 1
- https://octobercms.com/docs still redirect to v2 HOT 1
- Dead links on Configuration > CSRF chapter HOT 1
- Ajax extra features are gone HOT 1
- Broken link HOT 1
- Add version independent links please HOT 1
- Inconsistent documentation regarding relation definition options HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docs.