Re: Book Recommendation: Secure web programming ?

2005-10-08 Thread Randal L. Schwartz 
> "Elfyn" == Elfyn McBratney <[EMAIL PROTECTED]> writes:

Elfyn>   * Escape [shell] `meta'-characters - `"', `;', '|', etc. - in all user
Elfyn> input.  This is especially important if you hand-off user-supplied
Elfyn> input to an external program (for example, `sendmail');

Even better, don't let such things get near a shell.  Use multi-arg exec
or system, or multi-arg open to fork-and-pipe.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
 http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Book Recommendation: Secure web programming ?

2005-10-08 Thread Elfyn McBratney 
Hiya Randy,

On Tue, Oct 04, 2005 at 03:30:23 -0400, Randy W. Sims wrote:
 > I know perl. I know some basics of web/CGI programming, but haven't
 > done anything where security really matters. Could anyone recommend
 > books or references that discuss real-world web programming, that
 > show the right way to create secure sites? Topics like creating
 > logins, varying levels of access rights (some can edit, some can
 > view, some have limited views), different methods of storing
 > information & storing user data (plain file, DBM, DBMS;
 > strengths/weaknesses), what issues arise in using web hosting vs
 > having your own server.

I used to have a link to a very good (online version) of a web-based
security book around, but can no longer find it, so I'll share some
pe[a]rls ;) I use when working on perl/CGI web-apps:

  * If at all possible, use perl's built-in taint-mode - see the
man-page for `perlsec' for more info on this.  With taint-mode
enabled, all input is tainted by default until verified to be
`correct'.

  * Escape [shell] `meta'-characters - `"', `;', '|', etc. - in all user
input.  This is especially important if you hand-off user-supplied
input to an external program (for example, `sendmail');

  * Finally, don't black-list, white-list.  In other words, don't check
for badly-formed, or `illegal' data, check for valid and correct
data.  There is just a never ending list of things that'll need
black-listing (what with new types of exploits coming out daily (in
certain areas)), and you'll always be playing catch-up if you go the
reverse route.

 > Also, are there any particularly good general web development books
 > you highly recommend?

If I find that link (or remember the name of the book), I'll reply with
it. :)

Best,
Elfyn

-- 
Elfyn McBratney
Gentoo Developer/Perl Team Lead
beu/irc.freenode.nethttp://dev.gentoo.org/~beu/
+O.o- http://dev.gentoo.org/~beu/pubkey.asc

PGP Key ID: 0x69DF17AD
PGP Key Fingerprint:
  DBD3 B756 ED58 B1B4 47B9  B3BD 8D41 E597 69DF 17AD


pgpQ8lG1sBWL1.pgp
Description: PGP signature

Book Recommendation: Secure web programming ?

2005-10-04 Thread Randy W. Sims 
I know perl. I know some basics of web/CGI programming, but haven't done 
anything where security really matters. Could anyone recommend books or 
references that discuss real-world web programming, that show the right 
way to create secure sites? Topics like creating logins, varying levels 
of access rights (some can edit, some can view, some have limited 
views), different methods of storing information & storing user data 
(plain file, DBM, DBMS; strengths/weaknesses), what issues arise in 
using web hosting vs having your own server.


Also, are there any particularly good general web development books you 
highly recommend?


Thanks,
Randy.

--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]