Jacob Martinson wrote:
> i just read through the security section of the wiki.
> a few quick questions...
> - have there been any security related problems with the webware server
> itself in the past?
The only one I can remember is when we were using SmartCookie (from the
Python Cookie standard library), which is considered insecure.
> - is it safe to assume that webware is largely invulnerable to buffer
> overrun exploits, similar to java, because memory allocation is handled
> automatically, or are there parts of webware written in C that could be
> problematic? i'm using webkit + mod_webkit in apache2.
mod_webkit is written in C, and could potentially have a buffer overrun
in it, though I'm pretty sure it's okay (it's very small). Maybe the
marshalling process in the adapter interface could cause a problem; I
assume marshal is written in C. However, I think it's probably pretty
secure. No other part of Webware should have a problem.
> - other than logic errors in the code of a deployed app, is there
> anything in particular to look out for like register_globals in PHP?
cross-site-scripting attacks, etc. Python doesn't have tainted strings,
so you don't get that particular check as you would in Perl. But really
it's the same things you have to think about anywhere, and Python has
good ways to deal with these (e.g., use parameters instead of string
substitution in your SQL).