On 10/24/07, Toshio Kuratomi <a.badger@xxxxxxxxx> wrote: > Paulo Santos wrote: > > Drupal + SELinux + mod_security ?! > > > It looks like the combination of SELinux and mod_security will cover the > range of exploits as long as we have policy that covers all the > approaches in both SELinux and mod_security. I have some misgivings > about running software that I know is going to need third party tools to > enforce security rather than having the extra checks be part of > defense in depth but it seems that that would work. > > And in answer to the subject, "Php why must your apps suck so?" the > unfortunate answer is that it's built into the language. <?php $USERVAR > ?> and <?php echo $USERVER ?> are inherently bad because they don't html > escape $USERVAR yet it is the method used by practically all php code to > output variables to the page. > > Many Python web frameworks address this issue in the framework by > automatically html escaping any variable which is displayed in the > template. Notably, kid and genshi (the template languages we're using > for our TG deployments) work this way. PHP, on the other hand, makes > constant vigilance necessary. Perhaps it's possible to help mitigate any non-escaped output by developing (or using) whatever themes need to be developed for a Drupal install using smarty ? quite a few of the themes do use smarty. -- Craig > -Toshio > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
