Craig Skinner <[EMAIL PROTECTED]> wrote: > Web/ticketing/wiki all comes together easily with Perl, but as Perl is > so powerful at the OS level, there is little point in shoving it all > into a chroot. You don't have to. If you use something like fastcgi[1], then your code can run independantly of the webserver (even on a different machine if you want to), and thus you can have it start up in / and then chroot itself into /var/www at runtime, immediately before entering the main event loop.
> I'm worried about data driven HTTP attacks getting past the reverse > Squid proxy on the bastion host and into the LAN server, especially via > HTTPS when contents are not examined so well. Perl can help you here. Run your code with the -T switch, and then untaint all user-supplied input with regexes that pass only sane data. I don't know if TWiki does this or not. A lot of programs out there are very loose in this regard, but your own code doesn't have to be. And granted, some things are going to be very loose. For instance an html form textarea is bound to contain valid metacharacters. But DBI provides a means to quote such data, and there is also Perl's quotemeta() function. [1] http://www.fastcgi.com/ -- Stephen Takacs <[EMAIL PROTECTED]> http://perlguru.net/ 4149 FD56 D078 C988 9027 1EB4 04CC F80F 72CB 09DA
