Gunther Birznieks wrote:
<snip>
> >From: Jan Dubois <[EMAIL PROTECTED]>
> >I don't think so. You should never let people execute arbitrary code on
> >your web server anyways. If you do, then the potential intruder can do
> >much more nasty things than just snooping around in memory.
> >-Jan
> I think Jan is right to some degree. But he's also not necessarily thinking
> outside the box which is exactly what a hacker will do.
<snip>
This reminds me of a discussion that has been conducted here before. One could as
well ask, "Isn't embperl [or any other embedded code implementation] a security
risk?" One camp says of course not, you should protect yourself against tainted
user data, etc., plus whatever other ways exist to trick the server into executing
a foreign Perl fragment, and it's your fault if you don't, so there's no risk.
Another camp says yes, if your server is *able* to execute embedded code of some
kind, then by enabling this capability you've added to the risk by definition --
and by the way, you can't claim to have thought of *all* the ways that someone
might trick you into running a code frag, because you're probably not thinking
about it as hard as they are.
