Re: Catalyst or other frameworks in a security critical context

What do you mean by breaking into the system ? Do you mean through the network and you require SSL to be enabled for the user upload like Khen1950fx suggested ?

Or breaking into your box through some kind of injections?

You'll have to keep in mind while working that nothing will do the security checks for you, You'll have to do everything on your own.

Use catalyst if you want to build MVC based website, if you are not familiar with it or you don't want an MVC based web application then just use Template Toolkit and CGI::Application.

Normally for file upload you'll have to keep the uploaded file outside of your public_html folder (in the parent dir?) so it's not web accessible, and you should have suexec enabled webserver so your perl script run with your username not the webserver's username, then you'll have to change the permission of the file(s) so only your website user can read it.

for the download you can make a script that will take care of this using a database where only authenticated users can download their own files.

finally, if you do care too much about your web application getting cracked you might consider hiring a security consultancy to check out your web application (although they might not be perfect on their own, but they may be able to eliminate few exploits).

Comment on Re: Catalyst or other frameworks in a security critical context

Replies are listed 'Best First'.
Re^2: Catalyst or other frameworks in a security critical context by ArgusM (Novice) on Feb 09, 2010 at 19:28 UTC
Thank you very much for your advice! SSL is indeed necessary, and Catalyst seems to be able to handle this in a nice way. Or breaking into your box through some kind of injections? Yes, apart from securing the communication channel via SSL, this is one of my primary concerns -- that there may be, for example, an unsecured SQL statement in one of Catalyst's subclasses that may be used for SQL injection, or some kind of exploit to read local files. You'll have to keep in mind while working that nothing will do the security checks for you, You'll have to do everything on your own. ahmad, do you mean that I have to, for example, pre-check input before the Catalyst dispatcher gets its hands on it?	[reply]
Re^3: Catalyst or other frameworks in a security critical context by Your Mother (Archbishop) on Feb 09, 2010 at 20:01 UTC
Catalyst proper contains no SQL handling whatsoever. It's mostly just a dispatch framework with hooks for arranging various pieces into controllers, models, and views. While adding in those parts it will be your responsibility to choose prefab/drop-in components that are secure or to write your own. DBIx::Class is a commonly used model driver, e.g., which is secure if used properly. It runs SQL parameters through DBI binding, for example. If you have concerns about a particular piece or plugin, definitely bring them up on the Catalyst mailing list. You'll likely be soothed and if you discover a real issue, you'll see developers jump to fix it. A lot of very smart hackers work with Catalyst so the odds that it and its major extensions are safe are higher than they would be rolling your own; even if you were smarter than all of them. :) More eyes, more hands, more test suites, more live deployments.	[reply]