Paulo Santos wrote:
Drupal + SELinux + mod_security ?!
It looks like the combination of SELinux and mod_security will cover the
range of exploits as long as we have policy that covers all the
approaches in both SELinux and mod_security. I have some misgivings
about running software that I know is going to need third party tools to
enforce security rather than having the extra checks be part of
defense in depth but it seems that that would work.
And in answer to the subject, "Php why must your apps suck so?" the
unfortunate answer is that it's built into the language. <?php $USERVAR
?> and <?php echo $USERVER ?> are inherently bad because they don't html
escape $USERVAR yet it is the method used by practically all php code to
output variables to the page.
Many Python web frameworks address this issue in the framework by
automatically html escaping any variable which is displayed in the
template. Notably, kid and genshi (the template languages we're using
for our TG deployments) work this way. PHP, on the other hand, makes
constant vigilance necessary.
-Toshio
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
