[Bug]: Including reverse proxy like this is a huge security liability + bugs #16434
Open
3 of 6 tasks
Labels
bug-report
Report of a bug, yet to be confirmed
Checklist
What happened?
Began debugging why I was able to access service from an internal ip (docker net) but not via my own traefik proxy, and then realized I could also access it from a *.gradio.live url given that the docker template I was using had a share flag included in the entrypoint.
Steps to reproduce the problem
Start webui.sh without understanding the security risks of opening a connection to an arbitrary url.
What should have happened?
Do not package a reverse proxy server with this application and then expect people to install it on their home pc's. It's a liability, regardless of your intention. Even inside of a container ecosystem, this is a security risk given that the user didn't configure it themselves. This is potentially a vector for many now insecure devices, and this is not some novel concept.
There are plenty of exploits posted around the web for gradio.live specifically, but allowing users to unknowingly add a
--share
without likely understanding that implication is extremely careless at best. Consider removing the ability to proxy gradio all together. Consider including a readme with instructions on how to properly set up a secure reverse proxy themselves using nginx + best practices.What browsers do you use to access the UI ?
No response
Sysinfo
Ubuntu Server x86_64 (or any other operating system)
Console logs
Additional information
No response
The text was updated successfully, but these errors were encountered: