I know python much better than PHP, so I feel myself reasonably comfortable with cgi python module dealing with simple tests of html queries. In the meantime, I'm worried abut possible safety issues, so what is your suggestion to fix any coding/setting mistake? Have I to publish here, or into toolserver wiki, my code? As you guess, I'm not so deep into such issues.
Thanks!
Alex brollo
No, you don't have to publish the code, but design it with safety in mind and test protecting against common attacks. You may be interested in talking to a more experienced developer to take a look, though.
Mono
On Tue, Jun 21, 2011 at 6:05 AM, Alex Brollo alex.brollo@gmail.com wrote:
I know python much better than PHP, so I feel myself reasonably comfortable with cgi python module dealing with simple tests of html queries. In the meantime, I'm worried abut possible safety issues, so what is your suggestion to fix any coding/setting mistake? Have I to publish here, or into toolserver wiki, my code? As you guess, I'm not so deep into such issues.
Thanks!
Alex brollo
Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
Alex Brollo wrote:
I know python much better than PHP, so I feel myself reasonably comfortable with cgi python module dealing with simple tests of html queries. In the meantime, I'm worried abut possible safety issues, so what is your suggestion to fix any coding/setting mistake? Have I to publish here, or into toolserver wiki, my code? As you guess, I'm not so deep into such issues.
It's a bit unclear what you mean by safety issues. I'll assume you mean XSS vulnerabilities, SQL injection, etc.
It's rather simple, really: sanitize all input and all output. If you do that, it doesn't really matter how bad or ugly the HTML or CSS is.
You can read https://wiki.toolserver.org/view/Tool_considerations#Security which has a bit more information about tool security.
As you're working in PHP, you might also find http://www.mediawiki.org/wiki/Security_for_developers useful, though it's obviously targeted primarily at MediaWiki development.
You should set a default license for your tools/scripts using "setlicense" and then you can specify licenses for individual tool/scripts as necessary. There's a general expectation that the tools and scripts that you write will be released under a free/open source license, but I'm not sure if that's an actual requirement ("must") or simply an expectation ("should").
If you have specific questions, feel free to ask on this list or IRC.
MZMcBride
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
MZMcBride:
There's a general expectation that the tools and scripts that you write will be released under a free/open source license, but I'm not sure if that's an actual requirement ("must") or simply an expectation ("should").
It's preferred, but not required at the moment.
- river.
Thanks!
I'll read safety doc. In brief, there's only a GET input from a link such this:
toolserver.org/..../cgi-bin/epg_start.py?sito=language_of_wikisource&pagina=name_of_the_page&titolo=title_of_the_page
and the output is only a zip file into public_html folder and a static html page to see what's happening. I guess it would be simple to control the content of three GET parameters and to stop the script if parameter content is unsafe.
What are the minimal, safest settings for epg_start.py file? is it safe a 777 mode?
Alex brollo
toolserver-l@lists.wikimedia.org