Menu
▾
▴
webadmin-devel
|
From: kardiac <kar...@kr...> - 2004-10-17 17:15:17
|
Hi, I am not really a developer (so my question is maybe obvious) but i develop actually a webmin module. And i would know if it has anywhere a document describing how securing a webmin module or some good practice to respect? I have too read (in perl cookbook by example) than for writing a secure perl CGI it's preferable to use "use strict;" and -w and -T flag on #! line (at minimum). I have check in webmin modules and i have see it didn't use that and i don't know why. It's because webmin work with ACL and if user has ACL rights then no need for enforcing security in modules ? Thanks by advance for all advice, Kardiac |
|
From: Martin M. <mm...@me...> - 2004-10-17 17:32:28
|
Hi, kardiac wrote: > I am not really a developer (so my question is maybe obvious) but i > develop actually a webmin module. And i would know if it has anywhere a > document describing how securing a webmin module or some good practice > to respect? If you need help in translating this module to at least german, please come back to me :-) > I have too read (in perl cookbook by example) than for writing a secure > perl CGI it's preferable to use "use strict;" and -w and -T flag on #! > line (at minimum). As always this goes together, that someone is preferring what you wrote and others may say these things are useless. I think it is always the maintainers choice on how he is developing things. I remember someone who did harden a webmin-module and gave this back to the maintainer, so do not let me be someone who stops you in this ;-) bis dahin - kind regards Martin Mewes -- ###################################################################### http://www.webmin.com/ | Webbased Administration Tool for http://webmin.mamemu.de/| Unixoid Systems :-) Official Webmin/Usermin Translation Co-Ordinator 2003/2004 ###################################################################### |
|
From: kardiac <kar...@kr...> - 2004-10-17 18:00:24
|
Martin Mewes wrote:
> Hi,
>
> kardiac wrote:
>
>> I am not really a developer (so my question is maybe obvious) but
>> i develop actually a webmin module. And i would know if it has
>> anywhere a document describing how securing a webmin module or some
>> good practice to respect?
>
>
> If you need help in translating this module to at least german, please
> come back to me :-)
Thanks, i will remember it if i finish this module (i hope :-)
>
>> I have too read (in perl cookbook by example) than for writing a
>> secure perl CGI it's preferable to use "use strict;" and -w and -T
>> flag on #! line (at minimum).
>
>
> As always this goes together, that someone is preferring what you
> wrote and others may say these things are useless. I think it is
> always the maintainers choice on how he is developing things.
>
> I remember someone who did harden a webmin-module and gave this back
> to the maintainer, so do not let me be someone who stops you in this ;-)
>
> bis dahin - kind regards
>
> Martin Mewes
>
Ok i see. It's not really restraining ;-)
I will like some input on forged values in form submission too. I use
that actually:
unless ($value =~ m#^([\w.-_]+)$#) {
error( "$value has invalid characters.\n");
}
It's enough ? Best way to do it exist ?
I have already said but all advices welcome :-)
Kardiac
|
|
From: Martin M. <mm...@me...> - 2004-10-17 18:15:28
|
Hi,
kardiac wrote:
> Martin Mewes wrote:
>> If you need help in translating this module to at least german, please
>> come back to me :-)
> Thanks, i will remember it if i finish this module (i hope :-)
Can you please give me a hint on what kind of module your are working
on? Maybe there is something in place and it may would be more easier
for you to join a particular development instead of reinventing the wheel.
> I will like some input on forged values in form submission too. I use
> that actually:
>
> unless ($value =~ m#^([\w.-_]+)$#) { error( "$value
> has invalid characters.\n");
> }
>
> It's enough ? Best way to do it exist ?
I am just a translator and a lousy programmer, so I may leave this to
the coders here.
bis dahin - kind regards
Martin Mewes
--
######################################################################
http://www.webmin.com/ | Webbased Administration Tool for
http://webmin.mamemu.de/| Unixoid Systems :-)
Official Webmin/Usermin Translation Co-Ordinator 2003/2004
######################################################################
|
|
From: kardiac <kar...@kr...> - 2004-10-17 18:50:08
|
Martin Mewes wrote:
> Hi,
>
> kardiac wrote:
>
>> Martin Mewes wrote:
>>
>>> If you need help in translating this module to at least german,
>>> please come back to me :-)
>>
>> Thanks, i will remember it if i finish this module (i hope :-)
>
>
> Can you please give me a hint on what kind of module your are working
> on? Maybe there is something in place and it may would be more easier
> for you to join a particular development instead of reinventing the
> wheel.
>
>> I will like some input on forged values in form submission too. I use
>> that actually:
>>
>> unless ($value =~ m#^([\w.-_]+)$#) { error(
>> "$value has invalid characters.\n");
>> }
>>
>> It's enough ? Best way to do it exist ?
>
>
> I am just a translator and a lousy programmer, so I may leave this to
> the coders here.
>
> bis dahin - kind regards
>
> Martin Mewes
>
I work on a module for Cyrus-imap. I have started from IMAPv4 Server
module but i have mostly completely rewrited it. I needed
internationalization support (French specially) and more
features(support for different hierarchy separator, cascading delete,
editing configuration file...) .
I don't needed to rewrite all but i have a lot of fun to do it :-).
Actually internationalization and hierarchy separator are ok. I have
changed to Cyrus::IMAP::Admin instead NET::IMAP::Admin perl module (
maybe a not so good idea but i will see now).
kind regards
Kardiac
|
|
From: Jamie C. <jca...@we...> - 2004-10-18 00:46:15
|
On Mon, 2004-10-18 at 03:15, kardiac wrote:
> Hi,
>
> I am not really a developer (so my question is maybe obvious) but i
> develop actually a webmin module. And i would know if it has anywhere a
> document describing how securing a webmin module or some good practice
> to respect?
> I have too read (in perl cookbook by example) than for writing a secure
> perl CGI it's preferable to use "use strict;" and -w and -T flag on #!
> line (at minimum).
> I have check in webmin modules and i have see it didn't use that and i
> don't know why. It's because webmin work with ACL and if user has ACL
> rights then no need for enforcing security in modules ?
The biggest security concern is allowing un-trusted users access to a
module with limited privileges. If you module has an acl_security.pl
script that allows individual Webmin logins to be given different access
rights, you need to be very careful in your code that restricted users
cannot exceed their granted privileges. This means that all form input
has to be carefully checked, to ensure that it cannot be manipulated to
access arbitrary files on the system or run commands.
For example, if your module contained a form that allowed some file in
/usr/local/blah to be deleted, code like this could be dangerous :
&ReadParse();
system("rm -f /usr/local/blah/$in{'file'}");
Because a filename with .. in it could be used to delete any file on the
system. And a filename with
better to use code like this :
&ReadParse();
$in{'file'} !~ /\.\./ && $in{'file'} !~ /\// || &error("Invalid
filename");
unlink("/usr/local/blah/$in{'file'}");
- Jamie
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X