[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Php why must your apps suck so?



Paulo Santos wrote:
Drupal + SELinux + mod_security ?!

It looks like the combination of SELinux and mod_security will cover the range of exploits as long as we have policy that covers all the approaches in both SELinux and mod_security. I have some misgivings about running software that I know is going to need third party tools to enforce security rather than having the extra checks be part of defense in depth but it seems that that would work.

And in answer to the subject, "Php why must your apps suck so?" the unfortunate answer is that it's built into the language. <?php $USERVAR ?> and <?php echo $USERVER ?> are inherently bad because they don't html escape $USERVAR yet it is the method used by practically all php code to output variables to the page.

Many Python web frameworks address this issue in the framework by automatically html escaping any variable which is displayed in the template. Notably, kid and genshi (the template languages we're using for our TG deployments) work this way. PHP, on the other hand, makes constant vigilance necessary.

-Toshio


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]