Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The app.py file has the share=True option enabled by default, which may expose internal network services without the user's knowledge #33

Open
LJFYYJ opened this issue Sep 18, 2024 · 0 comments
Open

The app.py file has the share=True option enabled by default, which may expose internal network services without the user's knowledge #33

LJFYYJ opened this issue Sep 18, 2024 · 0 comments

Comments

@LJFYYJ
Copy link

LJFYYJ commented Sep 18, 2024

Risk: The command app.py's block.launch(share=True) defaults to enabling Gradio's share=True. This can potentially create a direct FRP tunnel, exposing internal network services to the public without the user's awareness, increasing the risk of the user's machine being compromised.

Reference: In the stable-diffusion-webui project, the default setting when running ./webui.sh is share=False. The FRP tunnel is only established if the user adds the parameter ./webui.sh --share, making services accessible from the public.

Recommendation: Remove the share=True parameter from app.py to ensure that the default configuration is secure, meaning that the service is only available on 127.0.0.1:7860. If users need to expose the service to the public, they can add the corresponding parameter themselves.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LJFYYJ