I agree whole-heartedly.
Hard-coding the paths as contants (so to speak)
would also reduce code size a little.
You could also have an 'off-limits' file that defines certain files that can
NOT be modified
(such as "/index.htm")
:-)
Doug
----- Original Message -----
From: "Henrik Våglin" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, February 14, 2001 4:56 PM
Subject: Re: Re[2]: [Dynapi-Help] Requirements of a server-side companion
for DynAPI
True, but if we're talking a server-side script that is used as an
middleware for filehandeling, recieving all variables including the filepath
and name to save to from an external source (ie not hardcoded in the
server-side script), it is certainly an issue.
For example if the general nature of the script doesn't care if you write
"/index.html" when you defines where to save the file to, just about anybody
would be able to set a new frontpage for the site its on, which might not be
the best of events. This is the extreme case of course, but even small
unwanted surprises would be unwanted when its concerning, for example, a big
buisness site.
A textfile with strict filepaths is easy enough to maintain for the
webmaster (the one implementing DynAPI and a possible Dynserver pack on the
websiteserver) and sets at least a basic protection against mistakes and
unwanted features and its not that hard to implement in the server-side
script either.
This is merely a suggestion. I too at first wasn't much concerned with it,
but come to realise it being a more serious matter. I'm sure there are cases
when even this method isn't enough safety messures, even if security is
setup correctly on the server.
I though see to it that I never have those kind of issues with my projects
since I'm really not that good on setting up (web-)servers correctly
sequrity-wise (mereley being a webcoding grunt at heart :)
Henrik Våglin [ [EMAIL PROTECTED] ]
----- Original Message -----
From: "Robert Rainwater" <[EMAIL PROTECTED]>
To: "DynAPI Help List" <[EMAIL PROTECTED]>
Sent: Thursday, February 15, 2001 1:25 AM
Subject: Re[2]: [Dynapi-Help] Requirements of a server-side companion for
DynAPI
>
> I don't think security is any more of an issue with using a serverside
> component than any other time. The only thing you are doing is making
> page request to the server using javascript. Even without javascript,
> anyone can make a request to the same file (function). So, security
> is not any more of a factor (unless I am missing something). You
> always have to deal with security when creating server-side
> applications, so you should always make sure security is taken care
> of.
> --
> // Robert Rainwater
>
> On 2/14/2001, 5:19:56 PM EST, Henrik wrote about "[Dynapi-Help]
Requirements of a server-side companion for DynAPI":
>
> > Something I got to thinking real hard about when scripting the
servertasks fileI/O widget - which is actually a kind of in-script
client/server type interface - was the security issue. How would
> > you ensure that you isn't just making it easy for evil-minded hackers to
do unwanted things to your website filestructure and files. What seems to be
the best way is to let the webmaster be
> > hardcoding in strict paths into a textfile as to ensure that at least
not the user intentionally or unintentionally modiifes the wrong files or
the wrong way in any directory in the webserver
> > structure. this method isn't waterproof either, but at least it
restricts the available filepaths if it's included into the server-side
script that it must check the textfile and ensure that the
> > input filepath is strictly true to one that is specified in the
textfile. the textfile should of course not include its own path or it be
useless.
>
> > Also I would adwise to carefully consider wheter the general server-side
script should actually include a renname and file-listing functions, as
these could easily be misused. I've also been
> > reconsidering actually including a delete function in my serverTasks
fileI/O widget. This should probably be one thing amongst others which
should rather be left to the webmaster to do manually to
> > ensure its done right.
>
> > Henrik Våglin [ [EMAIL PROTECTED] ]
>
>
> > ----- Original Message -----
> > From: "Doug Melvin" <[EMAIL PROTECTED]>
> > To: "dynapi-help" <[EMAIL PROTECTED]>
> > Sent: Thursday, February 15, 2001 12:59 AM
> > Subject: [Dynapi-Help] Requirements of a server-side companion for
DynAPI
>
>
> > Rough draft:
> > Add your comments and suggestions,
> > then we'll make a second draft and do it again.
>
> > DataBase access:
> > -SQL implementation (rip code from or modify MySQL?)
> > -getField('fieldname')
> > > get the value in field 'fieldname' for
> > the selected record
> > -setField('fieldname')
> > > set the value in field
> > 'fieldname' for the selected record
> > -SQLExecute('sqlstring')
> > > you would pass your
> > "SELECT * FROM" or
> > "DELETE ALL FOR"
> > statements to the DB
> > engine here..
>
> > File I/O (server-side):
> > -directory navigation:
> > +list files
> > +change working dir
> > -file streaming:
> > +Open file stream
> > +get X bytes from file stream
> > +get ALL from file stream
> > +write to file stream: append/insert/overwrite
> > +close file stream
>
> > -file manipulation:
> > +copy file
> > +move file
> > +rename file
> > +delete file
> > +maybe batch versions of the above
> > (ie myFileStreamObject.rename('f*s.js','f*r.js') )
>
> > Network Comm:
>
> > Not sure what you would want for network comm..
> > But I was thinking, you can make tcpip connections with an applet right?
> > So, on thos platforms that don't support, say, LiveConnect for instance,
> > your applet can make a network connection to you serv-side component,
> > which would then instruct you DynaPI to do something
> > (using a queue I would assume as you can't 'tell' jscript to do anything
from the server...)
>
>
> > ---
> > Outgoing mail is certified Virus Free by AVG Free Edition
> > http://www.grisoft.com/html/us_index.cfm
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.231 / Virus Database: 112 - Release Date: 2/12/01
>
>
>
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
>
>
> > _______________________________________________
> > Dynapi-Help mailing list
> > [EMAIL PROTECTED]
> > http://lists.sourceforge.net/lists/listinfo/dynapi-help
>
>
> ----------------------
> DynAPI Snapshots: http://dynapi.sourceforge.net/snapshot/
> DynAPI Homepage: http://dynapi.sourceforge.net/
>
>
>
> _______________________________________________
> Dynapi-Help mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/dynapi-help
>
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
_______________________________________________
Dynapi-Help mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/dynapi-help
---
Outgoing mail is certified Virus Free by AVG Free Edition
http://www.grisoft.com/html/us_index.cfm
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.231 / Virus Database: 112 - Release Date: 2/12/01
_______________________________________________
Dynapi-Help mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/dynapi-help
