From: Christopher T. <ch...@ch...> - 2002-03-29 02:40:20
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello everyone, Just wanted to find out the about current status of the input filters project. I'm interested in contributing, though I need to confirm with my employer first that they don't have a problem with that (confidentiality agreement stuff). Regards, Chris -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPKPS1g1yj8e2/NpyEQILsACeJ4M6WImSS4RYSdB0QP6G0o4PgZUAoLpX dDRqI9MDjeg88Q1JbTIaeJfa =VTvS -----END PGP SIGNATURE----- |
From: Gabriel L. <ga...@bu...> - 2002-06-21 18:49:09
|
Howdy folks, So, project manager hat on... What we've done this week: 1. Reviewed old info and cvs code (individually) 2. IRC chat 3. Posted transcript of IRC chat 4. Alex put togheter a summary and project goal proposal 5. Some discussion on project goal summary What we really need to do next is come to a consesnsus on the project goals and pull that together in to a document. It feels a little to me that we haven't really reached a consensus yet, rather that different viewpoints have been put forth. Correct me if I am wrong. How can we move forward to make sure that there is common ground and common agreement on what this project will be doing? On top of this, Mark is hoping to get our page updated, and was asking for it to be done this weekend. I'm a little uncomfortable spending too much time changing things on the site until I feel like we all have a common view of what we are doing. So, what are the next steps? -gabe |
From: Matt W. <wi...@ce...> - 2002-06-21 19:01:57
|
On Friday 21 June 2002 13:47, Gabriel Lawrence wrote: > Howdy folks, > > So, project manager hat on... > > What we've done this week: > > 1. Reviewed old info and cvs code (individually) > 2. IRC chat > 3. Posted transcript of IRC chat > 4. Alex put togheter a summary and project goal proposal > 5. Some discussion on project goal summary > > What we really need to do next is come to a consesnsus on the project > goals and pull that together in to a document. It feels a little to me > that we haven't really reached a consensus yet, rather that different > viewpoints have been put forth. Correct me if I am wrong. How can we > move forward to make sure that there is common ground and common > agreement on what this project will be doing? > > On top of this, Mark is hoping to get our page updated, and was asking > for it to be done this weekend. I'm a little uncomfortable spending too > much time changing things on the site until I feel like we all have a > common view of what we are doing. So, what are the next steps? > I think the problem is that some of us (myself included) have been doing = that project "no-no" of trying to force design-related ideas before we even ha= ve our project requirements set. We still need to know what, before we worry about how. I believe there were a few things we know we need to do,=20 such as: =091) Canonicalize data =092) Input/output filtering Other things are still not agreed upon such as: =093) Type checking =094) Range checking This is, of course, an over simplified list, and by all means, please add= to it. But we need to decide on whats what before we continue.. -matt --=20 Matthew Wirges Developer, CERIAS Incident Response Database wi...@ce... -- [765]49-67707 |
From: Alex R. <al...@se...> - 2002-06-21 19:26:39
|
Gabriel Lawrence wrote: > What we really need to do next is come to a consesnsus on the project > goals and pull that together in to a document. It feels a little to me > that we haven't really reached a consensus yet, rather that different > viewpoints have been put forth. Correct me if I am wrong. I think we can summarize what we've agreed on thus far as: 1.) we dissagree on a lot of stuff 2.) we must canonicalize data before filtering 3.) we're supposed to filter stuff...and stuff... 4.) that I can't spell. and what we dissagree on as: 1.) how far the project should go in protecting developers 2.) whether or not our target developers know a compiler from a hole in the ground 3.) whether or not type checking is sane, considering we're not all programming in nice, tidy, languages like Java 4.) how "signatures" should be stored 5.) whether or not we should use "signatures" at all 6.) how many licks it takes to get to the center of a tootsie-pop 7.) how much work should be required on the part of developers to create/invoke a given filter. > How can we move forward to make sure that there is common ground and common > agreement on what this project will be doing? I submit that we need to set out a list of points that we need to agree on. Once those points are decided, they should more or less dictate the overall design, and we can then start to iterate on a reference implementation. -- Alex Russell al...@Se... al...@ne... |
From: Mark C. <ma...@cu...> - 2002-06-21 20:16:45
|
You know I seem to own the mailing list but don't have the password. So I cant even add myself to it as it requires auth of the admin subscribing ;-) Hence all I saw was the same old please approve or deny ma...@cu... each night :-) God I am such a looozer sometimes. Its being reset anyways. As for the main OWASP page we were hoping to get a high level page thats consistent with each project. No need to do detail design plans. The WebScarab one is a template. Just means we all have the same look and feel for now until we do the portal when we can get more granularity. What we found helpful with WebScrarab was the workbook. The sections included requirements etc so it kinda lead us to creating all the doc needed. I guess the owasp.org page should be like the RUP vision statement. Zed Shaw has also been playing with Wiki for this as editing it all is much easier. Not sure if we can install CGI's at Sourceforge but if we could that would be a great solution. A sample dev Wiki is at http://projects.itservices.ubc.ca/cgi-bin/moin.cgi I have often found in the past that by plodding through a vision statement, non functional requirements and some use cases helps solidify everyones idea on the design. If there are any touchy subjects simple voting can work well. I am going to read Alex's project goal proposal now. On Fri, 2002-06-21 at 11:47, Gabriel Lawrence wrote: > Howdy folks, > > So, project manager hat on... > > What we've done this week: > > 1. Reviewed old info and cvs code (individually) > 2. IRC chat > 3. Posted transcript of IRC chat > 4. Alex put togheter a summary and project goal proposal > 5. Some discussion on project goal summary > > What we really need to do next is come to a consesnsus on the project > goals and pull that together in to a document. It feels a little to me > that we haven't really reached a consensus yet, rather that different > viewpoints have been put forth. Correct me if I am wrong. How can we > move forward to make sure that there is common ground and common > agreement on what this project will be doing? > > On top of this, Mark is hoping to get our page updated, and was asking > for it to be done this weekend. I'm a little uncomfortable spending too > much time changing things on the site until I feel like we all have a > common view of what we are doing. So, what are the next steps? > > -gabe > |
From: vertigo <ve...@pa...> - 2002-04-02 13:43:54
|
You're our first post. I apologize for the delay. Not all of the developers have subscribed yet so there hasn't been much traffic. Nathan On Thu, 28 Mar 2002, Christopher Todd wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello everyone, > > Just wanted to find out the about current status of the input filters > project. I'm interested in contributing, though I need to confirm > with my employer first that they don't have a problem with that > (confidentiality agreement stuff). > > Regards, > Chris > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> > > iQA/AwUBPKPS1g1yj8e2/NpyEQILsACeJ4M6WImSS4RYSdB0QP6G0o4PgZUAoLpX > dDRqI9MDjeg88Q1JbTIaeJfa > =VTvS > -----END PGP SIGNATURE----- > > > _______________________________________________ > Owasp-input-api-developers mailing list > Owa...@li... > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > |
From: Steve S. <sj...@Ju...> - 2002-04-02 15:18:28
|
At 08:43 AM 4/2/02 -0500, you wrote: >You're our first post. I apologize for the delay. Not all of the >developers have subscribed yet so there hasn't been much traffic. Ping. I'm here. -- Steve Sobol, Proud Native of the Great Frozen City of Cleveland, Ohio http://www.Cleveland.OH.US/ http://www.TravelCleveland.com/ http://www.LakeCountyOhio.org/ (Where the Snow is Cold but our Hearts Aren't!) CTO, JustThe.net LLC, Mentor On The Lake, Lake County, OH http://JustThe.net/ |
From: Nik C. <ni...@ni...> - 2002-04-02 15:44:15
|
ditto. anybody else here looking at PHP/ASP specific implementations of this project? Most of the discussion up until now has been Perl and Java specific. It would also be nice to have generic filters on user posted data so that existing sites do not need to code anything to have the filters working (perhaps prepending an include.php in the apache setup that will look at all passed variables for each script on the site). -Nik On Tue, 2 Apr 2002, Steve Sobol wrote: > At 08:43 AM 4/2/02 -0500, you wrote: > >You're our first post. I apologize for the delay. Not all of the > >developers have subscribed yet so there hasn't been much traffic. > > Ping. > > I'm here. > > > -- > Steve Sobol, Proud Native of the Great Frozen City of Cleveland, Ohio > http://www.Cleveland.OH.US/ http://www.TravelCleveland.com/ > http://www.LakeCountyOhio.org/ (Where the Snow is Cold but our Hearts Aren't!) > CTO, JustThe.net LLC, Mentor On The Lake, Lake County, OH http://JustThe.net/ > |
From: Steven J. S. <sj...@Ju...> - 2002-04-02 17:01:15
|
On Wed, 3 Apr 2002, Nik Cubrilovic wrote: > > ditto. > > anybody else here looking at PHP/ASP specific implementations of this > project? PHP is the reason I signed on. I can also do ASP. But ASP programming is just something that pays the bills for me. PHP programming is my passion. :) (And it pays some of the bills too.) I was also considering doing server-side extensions. That'd mean a Zend/PHP module for PHP4, and probably an ActiveX control for ASP (at least on Wintendo; I imagine ChiliASP on Linux and Solaris have no way to use ActiveX.) -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net Need a programmer? Resume going up at http://sourceforge.net/users/webdude216 |
From: Nik C. <ni...@ni...> - 2002-04-02 17:25:28
|
yes, I was thinking a module as an addition to Zend/PHP: http://www.php.net/manual/en/zend.php and an ISAPI object on Windows for IIS with the same functionality: http://www.15seconds.com/issue/010104.htm so once there is an outline, we can then go ahead and code ASP/PHP "ports" (both would have to be written in C). Perhaps there are other options for IIS other than an ISAPI filter (ActiveX control written in VB then registered on the server). -Nik On Tue, 2 Apr 2002, Steven J. Sobol wrote: > > PHP is the reason I signed on. I can also do ASP. But ASP programming > is just something that pays the bills for me. PHP programming is my > passion. :) (And it pays some of the bills too.) > > I was also considering doing server-side extensions. That'd mean > a Zend/PHP module for PHP4, and probably an ActiveX control for ASP (at > least on Wintendo; I imagine ChiliASP on Linux and Solaris have no way > to use ActiveX.) > > -- > Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) > JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net > Need a programmer? Resume going up at http://sourceforge.net/users/webdude216 > > |