On Fri, 2006-08-25 at 15:49 -0400, Ross Singer wrote: > While I agree with this fundamentally, pragmatically this is an > unrealistic expectation. I get this vendor to fix it, another vendor > pops up with another dumb unescaped character. > It's most likely not a problem with unescaped characters but something else (I won't know until you send me the logs).
> You can type these characters into the query string on IE or Safari > and get the same result, it wouldn't have to be vendor provided. Well, this is the problem: almost all security attacks against web servers take advantage of how loose they interpret the protocol in order to handle user errors that really the browser should be dealing with. If you think about it, you have two situations: 1) Dumb user typing into a browser -- browser fixes it. 2) Trained programmer writing an API -- follow the RFC. So the trade-off of being more strict is that a few folks who don't do either of the above have to go change their interactions. > I am not 'blaming' anybody. I'm just pointing out that it's a pretty > chaotic world and, as a result, it's fairly important that (within > reason) a webserver can handle the things that are thrown at it. > Yep, that's understandable, but it's also why so many other web servers get hacked so often. The HTTP RFC is very complex, and the best way I've found to deal with it is to use a strict parser. That being said, the parser has been wrong in the past so shoot me the logs and I'll look at how to update it. > My webserver is the one thing that /I/ can control. This also bring up another point, not every solution is right for every job. Mongrel's the hot thing but I'm the first to suggest another solution if Mongrel doesn't work out, and have many times told people to not adopt Mongrel if they've got something that works. If fcgi works then stick with it. Another option you might like is litespeed: http://litespeedtech.com/community/wiki/doku.php?id=litespeed_wiki:ruby_rails It's fast, commercial, has support, pretty easy to setup and they do fast work. -- Zed A. Shaw http://www.zedshaw.com/ http://mongrel.rubyforge.org/ http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help. _______________________________________________ Mongrel-users mailing list [email protected] http://rubyforge.org/mailman/listinfo/mongrel-users
