Sandino Araico Sánchez wrote:
Ey Sandido! It is good to read you! :-)
>>> My first idea is to create a new type of module. Until now, I
>>> have had handlers, validators, loggers and encoders. The idea
>>> would be to implement a new type, filters, to do this sort of
>>> things.
>>>
>>> For example, we could have filters like: get_filter or
>>> post_filer. Imagine something like this:
>>>
>>
>> The filter idea sounds very good, however would be nice to have some
>> other kind of filters, and possibly, many of these filters would be
>> 'extended' from others, like a sql_filter (for SQL Injection[1]), a php
>> filter[2] (attacks from outside) or why not, an output filter[3]
>> (attacks from inside, like XSS) ;-)
>
> POST and SQL injection filters are needed to protect vulnerable CGI
> applications so a good place to put the filtering layer is a new
> handler inherited from the cgi handler......
>
> The problem is we have different cgi handlers to choose from....
I disagree. Mu understanding is that the proposed filter mechanism
is a completely new concept inside the server architecture, and
therefore, it ought to be implemented independently.
As you probably know, Cherokee is an "empty server". It doesn't even
know how to do the most basic and obvious without using modules.
Currently there are four types of modules:
- Validator: Validate users before attending their requests.
- Handlers: Generate what is about to be sent to the client:
reads the file system, executes PHP, whatever.
- Encoders: Transform the handler output. Eg: compress it.
- Logger: Store what is happening.
So, now, the idea is to add a new entry to that list:
- Filters: Validate server's input
In that way, we will be able to use any of the existing handlers
with the new filter modules: which means, any handler with any
filter, and it will be up to you how to configure it.
Of course, as you said, there are some filters that will only be
useful if they are use with certain handlers: it wouldn't make sense
to use the SQL_filter with the "file" handler, for example; but I
guess, those checks are something that we should more outside the
server logic (the new admin interface seems like a good place for
them).
--
Greetings, alo.
_______________________________________________
Cherokee mailing list
[email protected]
http://www.0x50.org/cgi-bin/mailman/listinfo/cherokee
