The problem/use-case that the feature addresses We had a typo in the name of the Redis config file. This caused the server to run with a (vulnerable) default config (standard port, no password). It took us a while before we figured that out. Even though the flask caching client send a password redis did not use it (due to the missing config).
Description of the feature 1. Give a warning if the default config is used / no password is set 2. If a client sends a password but the redis instance has none set it should print at least a warning or refuse the connection.
Both setting help a lot in finding unsafe settings.
Alternatives you've considered
Don't accept a default config!
Additional information
- Redis Docker Image: 6.2.6
- Flask Client Version: Flask-Caching 1.10.1
Comment From: oranagra
What kind of typo was it? if you provide an argument that's not recognized or a config file that's missing, redis won't start. Also, what's vulnerable about the default config?
Comment From: maximilianreimer
Do not need to provide config file to start redis, if I am not mistaken. This caused our instance to start without a password.
Oran Agra @.***> schrieb am Fr., 8. Apr. 2022, 13:49:
What kind of typo was it? if you provide an argument that's not recognized or a config file that's missing, redis won't start. Also, what's vulnerable about the default config?
— Reply to this email directly, view it on GitHub https://github.com/redis/redis/issues/10558#issuecomment-1092779223, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABVM6EB6SYXP2PKBOR2F4NLVEAMN7ANCNFSM5S4AALJQ . You are receiving this because you authored the thread.Message ID: @.***>
Comment From: oranagra
So you started it with 0 parameters? Is that the typo. It's true that Redis starts by default with no password, but is also starts with protected-mode on, which will prevent access from non local connections.