Re: [webmin-devel] good security practice for developping modules ?

[kardiac <kar...@kr...>]

Martin Mewes wrote:

> Hi,
>
> kardiac wrote:
>
>>     I am not really a developer (so my question is maybe obvious) but 
>> i develop actually a webmin module. And i would know if it has 
>> anywhere a document describing how securing a webmin module or some 
>> good practice to respect?
>
>
> If you need help in translating this module to at least german, please 
> come back to me :-)

Thanks, i will remember it if i finish this module (i hope :-)

>
>> I have too read (in perl cookbook by example) than for  writing a 
>> secure perl CGI it's preferable to use "use strict;" and -w and -T 
>> flag on #! line (at minimum).
>
>
> As always this goes together, that someone is preferring what you 
> wrote and others may say these things are useless. I think it is 
> always the maintainers choice on how he is developing things.
>
> I remember someone who did harden a webmin-module and gave this back 
> to the maintainer, so do not let me be someone who stops you in this ;-)
>
> bis dahin - kind regards
>
> Martin Mewes
>
Ok i see. It's not really restraining ;-)

I will like some input on forged values in form submission too. I use 
that actually:

unless ($value =~ m#^([\w.-_]+)$#) {                  
    error( "$value has invalid characters.\n");
}

It's enough ? Best way to do it exist ?

I have already said but all advices welcome :-) 

Kardiac