Re: [WebMacro-user] questions on macros directive

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Harmeet,

Anytime you give someone the ability to write script, java, etc with 
server-side evaluation, you open up some big security issues no matter 
what the restrictions, limitations, and definitions.

In my view, as an ISP, I would be very cautious about running a 
container supporting 2 or more distinct and independently written 
servlet applications. Mostly, inadvertent side-effects but some 
malicious stuff too. Uploading an script to run compounds the security 
problem. Better to have their own dedicated container. Better still to 
have their own host.

-lane

Harmeet Bedi wrote:

>>>Will it be possible to write recursive macros ?
>>>      
>>>
>>If the macros can be evaluated in such a way that they terminate at
>>compile time, yes.
>>    
>>
>
>Would it be possible to have some example of safe but recursive macro ?
>
>
>I feel that macro directive call graph and recursive calls could be abused
>by a malicious person. Is this likely ? Is it possible to provide a way to
>limit macros to make them safer ?
>
>Can wm templates be used as part of a hosting solution ? Can one provide
>ability to add wm templates but somehow restrict the person uploading wm
>templates from bringing down the container. With 1.0, I was thinking that
>restricting available Java packages and disallowing the include directive
>could do the trick. Is this true ? Does it make sense ?
>Is this in line with web macro use case ?
>
>Appreciate your help. I have been using webmacro a little bit for a year but
>don't know enough about it.
>One thing would help (at least)me a lot would be some documentation on web
>application security with web macro.
>
>thanks,
>Harmeet
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: To learn the basics of securing 
>your web site with SSL, click here to get a FREE TRIAL of a Thawte 
>Server Certificate: http://www.gothawte.com/rd524.html
>_______________________________________________
>Webmacro-user mailing list
>Web...@li...
>https://lists.sourceforge.net/lists/listinfo/webmacro-user
>
>  
>