[PLUG] Preventing Probes Like This
Eric Wilhelm
scratchcomputing at gmail.com
Tue Aug 26 18:48:52 UTC 2008
# from Ronald Chmara
# on Tuesday 26 August 2008 03:04:
>>If you're just trying to display some bit of text that's
>> supposed to be next to you in the webroot, your tool (especially a
>> very web-centric tool) should give you a default way to do that which
>> limits the filenames to within the webroot.
>
>If your webroot for the application is /etc/, because your particular
> application is a sysadmin application, /etc/passwd being read-
> accessible makes perfect sense.
Yes. I would hope you were doing some authentication in that case. But
still, what I said is that you want a method for addressing filenames
within the webroot which throws an error when handed an out-of-bounds
filename. If you actually set the webroot to /etc/ (though I wouldn't
do this, even if it were a sysadmin app), well that isn't
out-of-bounds, is it?
>> The framework should give you convenient tools for doing
>> the sensible thing. It can still give you plenty of rope, but
>> handing me a neatly coiled rope is completely different from handing
>> me a bucket full of knots.
>
>You somewhat lost me, but I would guess that the general debate
>focuses on the issue of whether PHP/perl/python/C/java/bash/
><whatever> should be limited to being a jailed "DocumentRoot"
>language, or a language that can inherit the permissions of a parent
>process.
No. That's the wrong debate. One *could* have a framework (like the
google appengine will supposedly be) which eliminates I/O methods from
the language or replaces them with virtualized and managed code. If
you want to provide shared hosting to untrusted programmers, this is
what you need to do. Or you could use javascript on the server. You
still have a chance of leaking information.
But in general, the language itself doesn't need to jail you. Rather,
it (or a module/framework) should provide a good set of functions for
doing the right thing. In this case, the context is "web application",
so your DTRT methods need to take the webroot and etc into account. If
the tool doesn't make it absolutely easy to do the right thing, it
probably isn't the right tool.
In the PHP case, you have a lot of core language functions which are
specifically designed for use in web applications, yet they all tend to
place convenience over security (so much so that you would think this
was some kind of templating language hacked together in an afternoon's
worth of Perl.) Having both would not be so difficult, but the
language design doesn't go there. It would have been simple to make
the potentially insecure functionality require a bit of extra
code/input (hey, just have yet another function with the
prefix 'unsafe_' -- what's 400 more functions in the core syntax?), but
what you got is the opposite: extra coding will get you potentially
secure functionality.
So, maybe the developers which PHP attracts would actually be better off
with a javascript or otherwise jailed+stripped+managed framework?
--Eric
--
As an old bass player friend of mine used to say: throw money, don't
clap.
--Tony Parisi
---------------------------------------------------
http://scratchcomputing.com
---------------------------------------------------
More information about the PLUG
mailing list