True, but if we're talking a server-side script that is used as an middleware for
filehandeling, recieving all variables including the filepath and name to save to from
an external source (ie not hardcoded in the server-side script), it is certainly an
issue.
For example if the general nature of the script doesn't care if you write
"/index.html" when you defines where to save the file to, just about anybody would be
able to set a new frontpage for the site its on, which might not be the best of
events. This is the extreme case of course, but even small unwanted surprises would be
unwanted when its concerning, for example, a big buisness site.
A textfile with strict filepaths is easy enough to maintain for the webmaster (the one
implementing DynAPI and a possible Dynserver pack on the websiteserver) and sets at
least a basic protection against mistakes and unwanted features and its not that hard
to implement in the server-side script either.
This is merely a suggestion. I too at first wasn't much concerned with it, but come to
realise it being a more serious matter. I'm sure there are cases when even this method
isn't enough safety messures, even if security is setup correctly on the server.
I though see to it that I never have those kind of issues with my projects since I'm
really not that good on setting up (web-)servers correctly sequrity-wise (mereley
being a webcoding grunt at heart :)
Henrik Våglin [ [EMAIL PROTECTED] ]
----- Original Message -----
From: "Robert Rainwater" <[EMAIL PROTECTED]>
To: "DynAPI Help List" <[EMAIL PROTECTED]>
Sent: Thursday, February 15, 2001 1:25 AM
Subject: Re[2]: [Dynapi-Help] Requirements of a server-side companion for DynAPI
>
> I don't think security is any more of an issue with using a serverside
> component than any other time. The only thing you are doing is making
> page request to the server using javascript. Even without javascript,
> anyone can make a request to the same file (function). So, security
> is not any more of a factor (unless I am missing something). You
> always have to deal with security when creating server-side
> applications, so you should always make sure security is taken care
> of.
> --
> // Robert Rainwater
>
> On 2/14/2001, 5:19:56 PM EST, Henrik wrote about "[Dynapi-Help] Requirements of a
>server-side companion for DynAPI":
>
> > Something I got to thinking real hard about when scripting the servertasks fileI/O
>widget - which is actually a kind of in-script client/server type interface - was the
>security issue. How would
> > you ensure that you isn't just making it easy for evil-minded hackers to do
>unwanted things to your website filestructure and files. What seems to be the best
>way is to let the webmaster be
> > hardcoding in strict paths into a textfile as to ensure that at least not the user
>intentionally or unintentionally modiifes the wrong files or the wrong way in any
>directory in the webserver
> > structure. this method isn't waterproof either, but at least it restricts the
>available filepaths if it's included into the server-side script that it must check
>the textfile and ensure that the
> > input filepath is strictly true to one that is specified in the textfile. the
>textfile should of course not include its own path or it be useless.
>
> > Also I would adwise to carefully consider wheter the general server-side script
>should actually include a renname and file-listing functions, as these could easily
>be misused. I've also been
> > reconsidering actually including a delete function in my serverTasks fileI/O
>widget. This should probably be one thing amongst others which should rather be left
>to the webmaster to do manually to
> > ensure its done right.
>
> > Henrik Våglin [ [EMAIL PROTECTED] ]
>
>
> > ----- Original Message -----
> > From: "Doug Melvin" <[EMAIL PROTECTED]>
> > To: "dynapi-help" <[EMAIL PROTECTED]>
> > Sent: Thursday, February 15, 2001 12:59 AM
> > Subject: [Dynapi-Help] Requirements of a server-side companion for DynAPI
>
>
> > Rough draft:
> > Add your comments and suggestions,
> > then we'll make a second draft and do it again.
>
> > DataBase access:
> > -SQL implementation (rip code from or modify MySQL?)
> > -getField('fieldname')
> > > get the value in field 'fieldname' for
> > the selected record
> > -setField('fieldname')
> > > set the value in field
> > 'fieldname' for the selected record
> > -SQLExecute('sqlstring')
> > > you would pass your
> > "SELECT * FROM" or
> > "DELETE ALL FOR"
> > statements to the DB
> > engine here..
>
> > File I/O (server-side):
> > -directory navigation:
> > +list files
> > +change working dir
> > -file streaming:
> > +Open file stream
> > +get X bytes from file stream
> > +get ALL from file stream
> > +write to file stream: append/insert/overwrite
> > +close file stream
>
> > -file manipulation:
> > +copy file
> > +move file
> > +rename file
> > +delete file
> > +maybe batch versions of the above
> > (ie myFileStreamObject.rename('f*s.js','f*r.js') )
>
> > Network Comm:
>
> > Not sure what you would want for network comm..
> > But I was thinking, you can make tcpip connections with an applet right?
> > So, on thos platforms that don't support, say, LiveConnect for instance,
> > your applet can make a network connection to you serv-side component,
> > which would then instruct you DynaPI to do something
> > (using a queue I would assume as you can't 'tell' jscript to do anything from the
>server...)
>
>
> > ---
> > Outgoing mail is certified Virus Free by AVG Free Edition
> > http://www.grisoft.com/html/us_index.cfm
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.231 / Virus Database: 112 - Release Date: 2/12/01
>
>
>
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
>
>
> > _______________________________________________
> > Dynapi-Help mailing list
> > [EMAIL PROTECTED]
> > http://lists.sourceforge.net/lists/listinfo/dynapi-help
>
>
> ----------------------
> DynAPI Snapshots: http://dynapi.sourceforge.net/snapshot/
> DynAPI Homepage: http://dynapi.sourceforge.net/
>
>
>
> _______________________________________________
> Dynapi-Help mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/dynapi-help
>
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
_______________________________________________
Dynapi-Help mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/dynapi-help
