From: Nic Ferrier <[EMAIL PROTECTED]> Reply-To: "A mailing list for discussion about Sun Microsystem's Java Servlet API Technology." <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Servlet Security Date: Fri, 1 Oct 2004 20:45:43 +0100
Henry Reardon <[EMAIL PROTECTED]> writes:
> Sorry, I should have qualified that: CGIs are OK *if* you take the > appropriate safeguards like using mod_cgi.
No, that's incorrect. mod_cgi is Apache's way of running CGIs. That doesn't change the problems inherant in CGI.
> Or have I got everything muddled up?
Yes. /8->
> I have a conceptual knowledge of CGI and what it does and have done > a few programs using it, most of them Perl programs I wrote several > years back. I don't have any real experience with security for CGI > and only just heard of cgi_mod for the first time yesterday and > don't really understand it yet, except that it is an implementation > of CGI that is reputedly more secure than some other > implementations. I'm still not quite clear if mod_cgi is anywhere > near as secure as servlets.
No, it isn't. The problem with CGI is that you are exposing the operating system directly into the request methodology. In simple terms, there is just too much code involved to be confident that it is secure.
> Basically, I'm looking for an argument that a servlet-based wiki > will be substantially more secure than a CGI-based wiki - or vice > versa - so that I can make a case to the system administrator of a > Linux server on which way he should go. I was getting the impression > from the various responses I've had to my question (on this mailing > list and another) that both were quite satisfactory from a security > standpoint IF the appropriate steps were taken to tighten up > security.
I think servlets (or PHP, or mod_perl, or mod_python) would inspire more confidence than CGI.
But I repeat, it's about risk assessment and cost. What is the risk that you're wiki will be broken and what is the cost of that vs the cost of development using more secure technologies.
Nic
Okay, thanks for the clarification. We shall weigh these remarks heavily in our deliberations about which technology to choose.
'Henry'
_________________________________________________________________ Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.
___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
