From: Ian B. <ia...@co...> - 2004-04-16 16:50:40
|
Jacob Martinson wrote: > i just read through the security section of the wiki. > > a few quick questions... > > - have there been any security related problems with the webware server > itself in the past? The only one I can remember is when we were using SmartCookie (from the Python Cookie standard library), which is considered insecure. > - is it safe to assume that webware is largely invulnerable to buffer > overrun exploits, similar to java, because memory allocation is handled > automatically, or are there parts of webware written in C that could be > problematic? i'm using webkit + mod_webkit in apache2. mod_webkit is written in C, and could potentially have a buffer overrun in it, though I'm pretty sure it's okay (it's very small). Maybe the marshalling process in the adapter interface could cause a problem; I assume marshal is written in C. However, I think it's probably pretty secure. No other part of Webware should have a problem. > - other than logic errors in the code of a deployed app, is there > anything in particular to look out for like register_globals in PHP? Just the normal quoting issues, SQL injection, Javascript cross-site-scripting attacks, etc. Python doesn't have tainted strings, so you don't get that particular check as you would in Perl. But really it's the same things you have to think about anywhere, and Python has good ways to deal with these (e.g., use parameters instead of string substitution in your SQL). Ian |