Re^2: Catalyst or other frameworks in a security critical context

Thank you very much for your advice! SSL is indeed necessary, and Catalyst seems to be able to handle this in a nice way.

Or breaking into your box through some kind of injections?

Yes, apart from securing the communication channel via SSL, this is one of my primary concerns -- that there may be, for example, an unsecured SQL statement in one of Catalyst's subclasses that may be used for SQL injection, or some kind of exploit to read local files.

You'll have to keep in mind while working that nothing will do the security checks for you, You'll have to do everything on your own.

ahmad, do you mean that I have to, for example, pre-check input before the Catalyst dispatcher gets its hands on it?

Comment on Re^2: Catalyst or other frameworks in a security critical context

Replies are listed 'Best First'.
Re^3: Catalyst or other frameworks in a security critical context by Your Mother (Archbishop) on Feb 09, 2010 at 20:01 UTC
Catalyst proper contains no SQL handling whatsoever. It's mostly just a dispatch framework with hooks for arranging various pieces into controllers, models, and views. While adding in those parts it will be your responsibility to choose prefab/drop-in components that are secure or to write your own. DBIx::Class is a commonly used model driver, e.g., which is secure if used properly. It runs SQL parameters through DBI binding, for example. If you have concerns about a particular piece or plugin, definitely bring them up on the Catalyst mailing list. You'll likely be soothed and if you discover a real issue, you'll see developers jump to fix it. A lot of very smart hackers work with Catalyst so the odds that it and its major extensions are safe are higher than they would be rolling your own; even if you were smarter than all of them. :) More eyes, more hands, more test suites, more live deployments.	[reply]

Replies are listed 'Best First'.

Re^3: Catalyst or other frameworks in a security critical context
by Your Mother (Archbishop) on Feb 09, 2010 at 20:01 UTC

Catalyst proper contains no SQL handling whatsoever. It's mostly just a dispatch framework with hooks for arranging various pieces into controllers, models, and views.

While adding in those parts it will be your responsibility to choose prefab/drop-in components that are secure or to write your own. DBIx::Class is a commonly used model driver, e.g., which is secure if used properly. It runs SQL parameters through DBI binding, for example.

If you have concerns about a particular piece or plugin, definitely bring them up on the Catalyst mailing list. You'll likely be soothed and if you discover a real issue, you'll see developers jump to fix it. A lot of very smart hackers work with Catalyst so the odds that it and its major extensions are safe are higher than they would be rolling your own; even if you were smarter than all of them. :) More eyes, more hands, more test suites, more live deployments.

[reply]