Menu
▾
▴
Re: [Tclhttpd-users] Advice on embedding Tclhttpd
|
From: Michael S. <sc...@un...> - 2006-11-06 18:32:22
|
Trevor Davel schrieb: > Hi everyone, > > I have recently started to look at Tclhttpd as a means to provide a web > interface to an application. My team has used Tcl to develop products > before > and we have a function library we'd like to use in a new application, but > a web interface may be more appropriate than the Tk interfaces we have > previously developed. > > Tclhttpd looks like it can do the job, but I have some concerns and I'd > like > to know if anyone can give me some advice. > > Reliability & Security > > There are a couple of comments and testimonials around concerning the > stability > and reliability of Tclhttpd, and they seem to be positive. On the other > hand > I have seen little comment on the security of Tclhttpd. > > I am also concerned by the apparent lack of development -- this could > indicate > a lack of use & support, or product maturity ;) > > Can anyone comment on Tclhttpd's reliability and security, preferably with > reference to case studies in a hostile production environment? > > What about the pace of development? For example, bug [1446208] (server > is open > for xss attacks) was opened in March 2006 -- I would have thought XSS > bugs would > deserve high priority? Is there a roadmap for 3.5.x / 3.6, given that > 3.5.1 is > over two years old? There is not much development on Tclhttpd. If you want a newer alternative, take a look at WUB: http://wiki.tcl.tk/wub Other options: http://wiki.tcl.tk/15244 Regarding the XSS attack you mentioned. As far as i can remember those only happen inside the password protected admin area or with debug settings on, so they are no real problem unless the admin is utterly stupid. Other comments on security: Tclhttpd is ok, although it is easy to DOS the machine, as it uses gets for its network interaction. See http://www.tcl.tk/cgi-bin/tct/tip/287.html for some background of the problem there. One easy way to isolate tclhttpd from the rest of the application is listed in: http://wiki.tcl.tk/8755 Would need some work (aka security policies written) to run inside something like the Safe_Base) as a restricted and very secure web server. Michael |
