[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does your software?

To: [email protected] (Dr. Frederick B. Cohen)
Subject: Re: Does your software?
From: Ray Cromwell <[email protected]>
Date: Tue, 24 Oct 1995 18:38:39 -0400 (EDT)
Cc: [email protected], [email protected]
In-Reply-To: <[email protected]> from "Dr. Frederick B. Cohen" at Oct 24, 95 11:49:25 am
Sender: [email protected]


  Umm, your get only server sounds like it is secure, but what is the
point advertising it to this list? I could program a GET only
server in far fewer than 80 lines in just a few hours. You could
do it in even fewer lines of perl, or /bin/sh. A real HTTP server
must support all of HTTP/1.0 however for it to be considered a server.
Since yours doesn't, it isn't, it's just a toy. a better project would be
to make HTTP requests under CERN more secure.  In fact, if you don't
handle CGI, you can't handle forms, which means you can't handle
commerce securely.



secure perl "get only" server server
copy perl to a secure filesystem
have a chroot c-wrapper there
the wrapper chroot's to this directory and runs the perl script
perl is effectively boxed in


#!/securedir/perl

$line = <STDIN>;
($method, $url, $protocol)=split(/\s+/, $line);
$url =~ s/[^a-zA-Z0-9_]/g;
if($method =~ /^GET/i)
{
   open(FILE, "$url");
   print "HTTP/1.0 200 OK\nContent-Type: text/html\n\n";
   print <FILE>;
   close(FILE);
}

exit 0;

Follow-Ups:
- Re: Does your software?
  - From: [email protected] (Dr. Frederick B. Cohen)

References:
- Does your software?
  - From: [email protected] (Dr. Frederick B. Cohen)

Prev by Date: The cost of ITAR
Next by Date: Re: Does your software?
Prev by thread: Re: Does your software?
Next by thread: Re: Does your software?
Index(es):
- Date
- Thread