[262] in WWW Security List Archive
Re: Secure W3 Server
daemon@ATHENA.MIT.EDU (Brian Behlendorf)
Tue Dec 13 19:56:22 1994
Date: Tue, 13 Dec 1994 12:51:53 -0800 (PST)
From: Brian Behlendorf <brian@wired.com>
To: smb@research.att.com
cc: David Miller <isdmill@gatekeeper.ddp.state.me.us>, hharamis@cohesive.com,
www-security@ns1.rutgers.edu
In-Reply-To: <199412131856.NAA02435@ns1.rutgers.edu>
Reply-To: Brian Behlendorf <brian@wired.com>
On Tue, 13 Dec 1994 smb@research.att.com wrote:
> httpd is a risk partly because it's complex, but also because some of
> the interesting things you can do with it involve perl or sh scripts
> interpreting user inputs.
Perl isn't any more dangerous than C in this respect. Don't do stupid
things like pass variables to the command line or to be "eval"'d without
doing some serious type checking first (you should see my regexp for
email addresses!) and you should be fine.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Your slick hype/tripe/wipedisk/zipped/zippy/whine/online/sign.on.the.ish/oil
pill/roadkill/grease.slick/neat.trick is great for what it is. -- Wired Fan #3
brian@hotwired.com brian@hyperreal.com http://www.hotwired.com/Staff/brian/
