Re: Re: A rumination on finding secure scripts, versus rolling-your-own

Replies are listed 'Best First'.
Re: Re: Re: A rumination on finding secure scripts, versus rolling-your-own by cLive ;-) (Prior) on Mar 30, 2001 at 16:36 UTC
Fair enough but, on looking, the FAQ was written by Lincoln Stein and is here but, in his defence, Lincoln does recommend this in the FAQ :) In his words... "More recently, Selena Sol has published an excellent article on the risks of installing pre-built CGI scripts, with much helpful advice on configuring and customizing these scripts to increase their security. "	[reply]
Re: Re: Re: Re: A rumination on finding secure scripts, versus rolling-your-own by davorg (Chancellor) on Mar 30, 2001 at 17:25 UTC
It's a well-written article, but with one major flaw. It discusses the problems of passing unchecked user data to shell commands, but doesn't mention taint mode which is there to prevent you doing just that. -- <http://www.dave.org.uk> "Perl makes the fun jobs fun and the boring jobs bearable" - me	[reply]
Re: Re: Re: A rumination on finding secure scripts, versus rolling-your-own by Xxaxx (Monk) on Mar 30, 2001 at 16:12 UTC
I agree. Because a couple good hearted but under-developed Perl programmers have made some rather insecure scripts available to the world we now have zillions of formmail.pl programs around the net. If PM does do anything about illustrating transmogrification of standard insecure scripts into better scripts (from the security point of view anyway) formmail.pl or other such ubiquitious scripts with known exploits could be good candidates as patients. This way it might be possible to see some of the secure scripts filter out into the world replacing the swiss-cheese versions. I admire the good heartedness of the guys that released these commonly used scripts. But I wouldn't want my website on a server hosting any of these. Claude	[reply]