[Webapps-common-discuss] [commit] r109 - webapps-common/trunk/doc

Neil McGovern neilm at alioth.debian.org
Tue Nov 28 21:00:04 CET 2006


Author: neilm
Date: 2006-11-28 21:00:03 +0100 (Tue, 28 Nov 2006)
New Revision: 109

Modified:
   webapps-common/trunk/doc/Webapps-Policy-Manual-DRAFT.sgml
Log:
Added patch from mjs


Modified: webapps-common/trunk/doc/Webapps-Policy-Manual-DRAFT.sgml
===================================================================
--- webapps-common/trunk/doc/Webapps-Policy-Manual-DRAFT.sgml	2006-11-15 06:59:27 UTC (rev 108)
+++ webapps-common/trunk/doc/Webapps-Policy-Manual-DRAFT.sgml	2006-11-28 20:00:03 UTC (rev 109)
@@ -5,6 +5,7 @@
 	<author>Pascal Hakim
 	<author>Neil McGovern
 	<author>Sean Finney			
+	<author>Joey Schulze	
 	<version>
 		Revision: DRAFT-1.9
 	<abstract>
@@ -89,8 +90,8 @@
 				Where possible, this document will defer
 				to these other policies:
 			<list>
-			<item><url id="http://people.debian.org/~seanius/policy/dbapp-policy.html" name="Database Application Policy">
-			<item><url id="http://webapps-common.alioth.debian.org/draft-php/html" name="Debian PHP Policy">
+			<item><url id="http://people.debian.org/~seanius/policy/dbapp-policy.html/" name="Database Application Policy">
+			<item><url id="http://webapps-common.alioth.debian.org/draft-php/html/" name="Debian PHP Policy">
 			<item><url id="http://www.debian.org/doc/packaging-manuals/perl-policy/" name="Debian Perl Policy">
 			</list>
 	<chapt id="terms">Terms and Conventions
@@ -193,7 +194,7 @@
 			<tag>Other static data, and helper scripts that don't belong in users' paths
 			<item>A unique subdirectory of <file>/usr/share/<var>PACKAGE</var></file>
 			<tag>Persistent application data, Cached/regenerated application data, rrd, mrtg and other database files
-			<item>See <url id="http://people.debian.org/~seanius/policy/dbapp-policy.html" name="database application policy">. 
+			<item>See <url id="http://people.debian.org/~seanius/policy/dbapp-policy.html/" name="database application policy">. 
 			<tag>Site configuration (settings/passwords)
 		 	<item><file>/etc/<var>PACKAGE</var></file>
 			<tag>Modifiable and overridable content
@@ -301,13 +302,47 @@
 			<p>
 				If the web application needs a database
 				to run properly, it must abide by the 
-				<url id="http://people.debian.org/~seanius/policy/dbapp-policy.html" name="database application policy">. 
+				<url id="http://people.debian.org/~seanius/policy/dbapp-policy.html/" name="database application policy">. 
 				The maintainer is highly encouraged to use
 				a common tool such as dbconfig-common to
 				perform the database configuration. Please
-				see the <url id="http://people.debian.org/~seanius/policy/dbconfig-common-using.html" name="dbconfig-common manual"> for
+				see the <url id="http://people.debian.org/~seanius/policy/dbconfig-common-using.html/" name="dbconfig-common manual"> for
 				more information.
 
+	  <sect id="security-php">Security measurements
+			<p>
+				PHP applications must not depend on
+				the "register_global" setting turned
+				on in Apache or other httpds.
+			<p>
+				PHP applications should take extra
+				care not to use internal variables
+				before their initialisation, in case
+				"register_global" is turned on by the
+				administrator.
+			<!-- p>
+				Include files should not emit any
+				output, not even error messages, in
+				case they are executed directly or
+				exposed in a web-accessible directory.
+			 -->
+			<p>
+
+				Web-based applications should not
+				blindly trust any user-provided data.
+				Before emitting them, the data need to
+				be checked for cross-site scripting
+				attempts, i.e. HTML code needs to be
+				escaped.  Input for databases need to
+				be checked against SQL-injection
+				attempts, i.e. quotes need to be
+				escaped.  User-driven arguments to any
+				file or permission related functions
+				need to be checked against information
+				disclosure, i.e. input need to be
+				checked for ways to escape the
+				intended path on the filesystem.
+
 		<sect id="issues-archindep">Architecture independent scripts (Perl, PHP and others)
 			<p>Scripts that shouldn't normally need
 			   to exist in the standard system path should
@@ -322,6 +357,9 @@
 			   interpretation via the web must exist in
 			   locations where their underlying source code
 			   can be directly retrieved.
+			<p>This may require to split upstream source
+			   into two directories and adjusting the
+			   include path or statements.
 
 		<sect id="issues-archdep">Architecture dependant binaries
 			<p>The policy for Architecture dependant binaries
@@ -334,7 +372,7 @@
 			   though this may
 				become deprecated in the future.
 			<p>Similar to Architecture-independent files,
-			   if such files are intended to be executed via
+			   if such files are not intended to be executed via
 			   the web, they must not exist in a location
 			   where they can be directly retrieved.
 
@@ -362,7 +400,7 @@
 	 	<p>
 			Issues specific to the PHP programming language
 			are covered in the 
-         <url id="http://webapps-common.alioth.debian.org/draft-php/html" name="PHP Policy"> Document
+         <url id="http://webapps-common.alioth.debian.org/draft-php/html/" name="PHP Policy"> Document
 
 	<sect id="perl">Perl
 		<p>
@@ -393,13 +431,13 @@
 					should use the web server's
 					implementation of an "alias"
 					directive.  For example,
-					in apache directive is named
+					in Apache the directive is named
 					"Alias".  For web servers that do
 					not provide such a directive, the
 					local administrator is responsible
 					for placing symbolic links in
 					the document root to make an
-					application web-accessible.
+					application accessible to web-users.
 					
 			  <sect1 id="httpd-register-httpd">Registering and unregistering an application with web servers
 				<p>
@@ -411,7 +449,7 @@
 					the target web server supports
 					drop-in configuration via a
 					configuration file directory (such
-					as the apache family of httpds'
+					as the Apache family of httpds'
 					<file>conf.d</file> directories) or
 					"include" configuration.  In the
 					case of the latter, standard Debian
@@ -427,7 +465,8 @@
 					the package in question should
 					instead provide the configuration
 					as an example following standard
-					Debian documentation policy.
+					Debian <url id="http://www.debian.org/doc/debian-policy/ch-docs"
+					name="documentation policy">.
 				<p>
 					Such configuration should only be
 					performed during installation.  During
@@ -460,7 +499,7 @@
 				hosts:
 			<list>
 			<item>
-				The apache module mod_env can be used
+				The Apache module mod_env can be used
 				to provide applications with information
 				on where to find config files
 			<item>
@@ -471,7 +510,7 @@
 				information to find what config
 				file/script it should use
 			<item> 
-				For php applications under apache, one
+				For PHP applications under Apache, one
 				can use "php_value auto_prepend_file"
 				to provide configuration scripts for
 				the application




More information about the Webapps-common-discuss mailing list