Home / Browse / Webware for Python / Mail / Archive

Webware for Python

Email Archive: webware-discuss (read-only)

2000:	_Jan	_Feb	_Mar	_Apr	_May (149)	_Jun (174)	_Jul (41)	_Aug (118)	_Sep (72)	_Oct (111)	_Nov (69)	_Dec (147)
2001:	_Jan (242)	_Feb (276)	_Mar (363)	_Apr (704)	_May (183)	_Jun (209)	_Jul (173)	_Aug (230)	_Sep (80)	_Oct (306)	_Nov (338)	_Dec (291)
2002:	_Jan (273)	_Feb (294)	_Mar (303)	_Apr (463)	_May (319)	_Jun (182)	_Jul (160)	_Aug (140)	_Sep (192)	_Oct (302)	_Nov (238)	_Dec (176)
2003:	_Jan (179)	_Feb (222)	_Mar (256)	_Apr (167)	_May (139)	_Jun (145)	_Jul (113)	_Aug (259)	_Sep (146)	_Oct (124)	_Nov (143)	_Dec (66)
2004:	_Jan (58)	_Feb (128)	_Mar (193)	_Apr (228)	_May (111)	_Jun (107)	_Jul (93)	_Aug (78)	_Sep (48)	_Oct (99)	_Nov (104)	_Dec (119)
2005:	_Jan (115)	_Feb (124)	_Mar (86)	_Apr (41)	_May (52)	_Jun (21)	_Jul (32)	_Aug (14)	_Sep (52)	_Oct (30)	_Nov (19)	_Dec (19)
2006:	_Jan (43)	_Feb (35)	_Mar (68)	_Apr (21)	_May (38)	_Jun (46)	_Jul (19)	_Aug (38)	_Sep (58)	_Oct (15)	_Nov (12)	_Dec (30)
2007:	_Jan (49)	_Feb (23)	_Mar (29)	_Apr (19)	_May (33)	_Jun (4)	_Jul (10)	_Aug (26)	_Sep (2)	_Oct (9)	_Nov (1)	_Dec (21)
2008:	_Jan (15)	_Feb (3)	_Mar (10)	_Apr (8)	_May (4)	_Jun (2)	_Jul (2)	_Aug	_Sep	_Oct (2)	_Nov (13)	_Dec
2009:	_Jan (11)	_Feb (4)	_Mar	_Apr (6)	_May	_Jun (16)	_Jul (1)	_Aug	_Sep	_Oct	_Nov	_Dec (9)
2010:	_Jan (6)	_Feb (4)	_Mar (2)	_Apr (12)	_May (20)	_Jun (9)	_Jul (7)	_Aug	_Sep (1)	_Oct (5)	_Nov	_Dec (4)
2011:	_Jan	_Feb	_Mar (10)	_Apr	_May	_Jun	_Jul (9)	_Aug (2)	_Sep	_Oct	_Nov	_Dec
2012:	_Jan (2)	_Feb	_Mar	_Apr	_May	_Jun	_Jul	_Aug	_Sep (6)	_Oct (3)	_Nov (8)	_Dec (11)
2013:	_Jan (1)	_Feb (1)	_Mar	_Apr	_May	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec

[Webware-discuss] security

From: Michael Engelhart <mengelhart@ka...> - 2002-12-18 16:18

hi all -

I'm about to put a Webware 0.7 site into production and have been going 
through my system for possible security holes (Unix).

Is there  anything in particular I should keep in mind as far as 
Webware for security?  I read the Wiki on Security but it's mostly 
stuff I already know about in regards to general security and sesssion 
id security, etc.   Are there any inherent risks in running .py files 
(generated by Cheetah) in my webware application directory?

If I remove all the extraneous application contexts (including Admin) 
is the only directory that will serve files the context that I setup 
for my application?

Thanks for any suggestions to cure my paranoia :-)

Mike

Re: [Webware-discuss] security

From: Ian Bicking <ianb@co...> - 2002-12-18 18:49

You may want to remove extraneous contexts -- they aren't generally
necessary anyway.  Of course, there are a whole set of general scripting
security issues -- mostly boiling down to not implicitly trusting any
input you receive.

You may way to consider the user you run the AppServer as, and the
permissions you want to use.  If you use MakeAppWorkDir, the entire
Webware directory can be set not to be writable.

On Wed, 2002-12-18 at 10:17, Michael Engelhart wrote:
> hi all -
> 
> I'm about to put a Webware 0.7 site into production and have been going 
> through my system for possible security holes (Unix).
> 
> Is there  anything in particular I should keep in mind as far as 
> Webware for security?  I read the Wiki on Security but it's mostly 
> stuff I already know about in regards to general security and sesssion 
> id security, etc.   Are there any inherent risks in running .py files 
> (generated by Cheetah) in my webware application directory?
> 
> If I remove all the extraneous application contexts (including Admin) 
> is the only directory that will serve files the context that I setup 
> for my application?
> 
> Thanks for any suggestions to cure my paranoia :-)
> 
> Mike
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
> Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
> MP3 Players,  XBox Games,  Flying Saucers,  WebCams,  Smart Putty.
> T H I N K G E E K . C O M       http://www.thinkgeek.com/sf/
> _______________________________________________
> Webware-discuss mailing list
> Webware-discuss@...
> https://lists.sourceforge.net/lists/listinfo/webware-discuss
-- 
Ian Bicking <ianb@...>

[Webware-discuss] security

From: Jacob Martinson <jmartinson@in...> - 2004-04-16 16:18

i just read through the security section of the wiki.

a few quick questions...

- have there been any security related problems with the webware server
itself in the past?

- is it safe to assume that webware is largely invulnerable to buffer
overrun exploits, similar to java, because memory allocation is handled
automatically, or are there parts of webware written in C that could be
problematic?  i'm using webkit + mod_webkit in apache2.

- other than logic errors in the code of a deployed app, is there
anything in particular to look out for like register_globals in PHP?

thanks!

-jacob

Re: [Webware-discuss] security

From: Jacob Martinson <jmartinson@in...> - 2004-04-16 16:30

I guess what I'm curious overall is where does Webware fit into the
spectrum of Tomcat/JBoss on the "secure" side, IIS on the "weak" side
and PHP somewhere in the middle?

Thanks!

-Jacob

On Fri, 2004-04-16 at 11:37, Jacob Martinson wrote:
> i just read through the security section of the wiki.
> 
> a few quick questions...
> 
> - have there been any security related problems with the webware server
> itself in the past?
> 
> - is it safe to assume that webware is largely invulnerable to buffer
> overrun exploits, similar to java, because memory allocation is handled
> automatically, or are there parts of webware written in C that could be
> problematic?  i'm using webkit + mod_webkit in apache2.
> 
> - other than logic errors in the code of a deployed app, is there
> anything in particular to look out for like register_globals in PHP?
> 
> thanks!
> 
> -jacob
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Webware-discuss mailing list
> Webware-discuss@...
> https://lists.sourceforge.net/lists/listinfo/webware-discuss

Re: [Webware-discuss] security

From: Ian Bicking <ianb@co...> - 2004-04-16 16:50

Jacob Martinson wrote:
> i just read through the security section of the wiki.
> 
> a few quick questions...
> 
> - have there been any security related problems with the webware server
> itself in the past?

The only one I can remember is when we were using SmartCookie (from the 
Python Cookie standard library), which is considered insecure.

> - is it safe to assume that webware is largely invulnerable to buffer
> overrun exploits, similar to java, because memory allocation is handled
> automatically, or are there parts of webware written in C that could be
> problematic?  i'm using webkit + mod_webkit in apache2.

mod_webkit is written in C, and could potentially have a buffer overrun 
in it, though I'm pretty sure it's okay (it's very small).  Maybe the 
marshalling process in the adapter interface could cause a problem; I 
assume marshal is written in C.  However, I think it's probably pretty 
secure.  No other part of Webware should have a problem.

> - other than logic errors in the code of a deployed app, is there
> anything in particular to look out for like register_globals in PHP?

Just the normal quoting issues, SQL injection, Javascript 
cross-site-scripting attacks, etc.  Python doesn't have tainted strings, 
so you don't get that particular check as you would in Perl.  But really 
it's the same things you have to think about anywhere, and Python has 
good ways to deal with these (e.g., use parameters instead of string 
substitution in your SQL).

   Ian

Webware for Python

Email Archive: webware-discuss (read-only)

1 message has been excluded from this view by a project administrator.