[Webapps-common-discuss] [commit] r109 - webapps-common/trunk/doc
Neil McGovern
neilm at alioth.debian.org
Tue Nov 28 21:00:04 CET 2006
Author: neilm
Date: 2006-11-28 21:00:03 +0100 (Tue, 28 Nov 2006)
New Revision: 109
Modified:
webapps-common/trunk/doc/Webapps-Policy-Manual-DRAFT.sgml
Log:
Added patch from mjs
Modified: webapps-common/trunk/doc/Webapps-Policy-Manual-DRAFT.sgml
===================================================================
--- webapps-common/trunk/doc/Webapps-Policy-Manual-DRAFT.sgml 2006-11-15 06:59:27 UTC (rev 108)
+++ webapps-common/trunk/doc/Webapps-Policy-Manual-DRAFT.sgml 2006-11-28 20:00:03 UTC (rev 109)
@@ -5,6 +5,7 @@
<author>Pascal Hakim
<author>Neil McGovern
<author>Sean Finney
+ <author>Joey Schulze
<version>
Revision: DRAFT-1.9
<abstract>
@@ -89,8 +90,8 @@
Where possible, this document will defer
to these other policies:
<list>
- <item><url id="http://people.debian.org/~seanius/policy/dbapp-policy.html" name="Database Application Policy">
- <item><url id="http://webapps-common.alioth.debian.org/draft-php/html" name="Debian PHP Policy">
+ <item><url id="http://people.debian.org/~seanius/policy/dbapp-policy.html/" name="Database Application Policy">
+ <item><url id="http://webapps-common.alioth.debian.org/draft-php/html/" name="Debian PHP Policy">
<item><url id="http://www.debian.org/doc/packaging-manuals/perl-policy/" name="Debian Perl Policy">
</list>
<chapt id="terms">Terms and Conventions
@@ -193,7 +194,7 @@
<tag>Other static data, and helper scripts that don't belong in users' paths
<item>A unique subdirectory of <file>/usr/share/<var>PACKAGE</var></file>
<tag>Persistent application data, Cached/regenerated application data, rrd, mrtg and other database files
- <item>See <url id="http://people.debian.org/~seanius/policy/dbapp-policy.html" name="database application policy">.
+ <item>See <url id="http://people.debian.org/~seanius/policy/dbapp-policy.html/" name="database application policy">.
<tag>Site configuration (settings/passwords)
<item><file>/etc/<var>PACKAGE</var></file>
<tag>Modifiable and overridable content
@@ -301,13 +302,47 @@
<p>
If the web application needs a database
to run properly, it must abide by the
- <url id="http://people.debian.org/~seanius/policy/dbapp-policy.html" name="database application policy">.
+ <url id="http://people.debian.org/~seanius/policy/dbapp-policy.html/" name="database application policy">.
The maintainer is highly encouraged to use
a common tool such as dbconfig-common to
perform the database configuration. Please
- see the <url id="http://people.debian.org/~seanius/policy/dbconfig-common-using.html" name="dbconfig-common manual"> for
+ see the <url id="http://people.debian.org/~seanius/policy/dbconfig-common-using.html/" name="dbconfig-common manual"> for
more information.
+ <sect id="security-php">Security measurements
+ <p>
+ PHP applications must not depend on
+ the "register_global" setting turned
+ on in Apache or other httpds.
+ <p>
+ PHP applications should take extra
+ care not to use internal variables
+ before their initialisation, in case
+ "register_global" is turned on by the
+ administrator.
+ <!-- p>
+ Include files should not emit any
+ output, not even error messages, in
+ case they are executed directly or
+ exposed in a web-accessible directory.
+ -->
+ <p>
+
+ Web-based applications should not
+ blindly trust any user-provided data.
+ Before emitting them, the data need to
+ be checked for cross-site scripting
+ attempts, i.e. HTML code needs to be
+ escaped. Input for databases need to
+ be checked against SQL-injection
+ attempts, i.e. quotes need to be
+ escaped. User-driven arguments to any
+ file or permission related functions
+ need to be checked against information
+ disclosure, i.e. input need to be
+ checked for ways to escape the
+ intended path on the filesystem.
+
<sect id="issues-archindep">Architecture independent scripts (Perl, PHP and others)
<p>Scripts that shouldn't normally need
to exist in the standard system path should
@@ -322,6 +357,9 @@
interpretation via the web must exist in
locations where their underlying source code
can be directly retrieved.
+ <p>This may require to split upstream source
+ into two directories and adjusting the
+ include path or statements.
<sect id="issues-archdep">Architecture dependant binaries
<p>The policy for Architecture dependant binaries
@@ -334,7 +372,7 @@
though this may
become deprecated in the future.
<p>Similar to Architecture-independent files,
- if such files are intended to be executed via
+ if such files are not intended to be executed via
the web, they must not exist in a location
where they can be directly retrieved.
@@ -362,7 +400,7 @@
<p>
Issues specific to the PHP programming language
are covered in the
- <url id="http://webapps-common.alioth.debian.org/draft-php/html" name="PHP Policy"> Document
+ <url id="http://webapps-common.alioth.debian.org/draft-php/html/" name="PHP Policy"> Document
<sect id="perl">Perl
<p>
@@ -393,13 +431,13 @@
should use the web server's
implementation of an "alias"
directive. For example,
- in apache directive is named
+ in Apache the directive is named
"Alias". For web servers that do
not provide such a directive, the
local administrator is responsible
for placing symbolic links in
the document root to make an
- application web-accessible.
+ application accessible to web-users.
<sect1 id="httpd-register-httpd">Registering and unregistering an application with web servers
<p>
@@ -411,7 +449,7 @@
the target web server supports
drop-in configuration via a
configuration file directory (such
- as the apache family of httpds'
+ as the Apache family of httpds'
<file>conf.d</file> directories) or
"include" configuration. In the
case of the latter, standard Debian
@@ -427,7 +465,8 @@
the package in question should
instead provide the configuration
as an example following standard
- Debian documentation policy.
+ Debian <url id="http://www.debian.org/doc/debian-policy/ch-docs"
+ name="documentation policy">.
<p>
Such configuration should only be
performed during installation. During
@@ -460,7 +499,7 @@
hosts:
<list>
<item>
- The apache module mod_env can be used
+ The Apache module mod_env can be used
to provide applications with information
on where to find config files
<item>
@@ -471,7 +510,7 @@
information to find what config
file/script it should use
<item>
- For php applications under apache, one
+ For PHP applications under Apache, one
can use "php_value auto_prepend_file"
to provide configuration scripts for
the application
More information about the Webapps-common-discuss
mailing list