RE: [cgiapp] Trying to understand how CGI::App works

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cgiapp] Trying to understand how CGI::App works

Subject: RE: [cgiapp] Trying to understand how CGI::App works
Date: Mon, 29 Sep 2003 15:31:31 -0400 (EDT)
From: Christopher Hicks <suppressed>

On Thu, 25 Sep 2003, Bob Hicks wrote:

> Randall Swartz said something to the effect of "you shouldn't let anyone
> know what you are using for cgi". He was speaking of using extensions to
> file names like ".pl".
> 
> Thoughts?

This is a good idea, a rather good idea in fact.  Randal is right again.  
Surprise, surprise..  (Someone else mentioned that this was security
through obscurity (STO) - baloney.  More on that in a sec.)  Basically
there's no reason random end users should ever know what your code is
written in.  Consider:

- This is a good idea from a security perspective because people will
target Perl, PHP, cold fusion, etc. holes at URL's that are obviously
Perl, PHP, etc.  Attacks on many popular something.pl scripts have been
easily avoided by renaming the scripts without the .pl.  Does any of this
"really" secure anything?  No, but it also isn't STO.  It's a wise move as
part of security in depth (SID comes before STO).  Even if it doesn't
"really" secure anything it does slow the bums down and that's helpful 
considering how many bums there are these days.

- This is a good idea from a deployment/admin perspective.  Why should the
end user care that you decided to rewrite your script in Perl once you
realized PHP was the Britney Spears of languages?  The same thing applies
to shell scripts as applies to other command line scripts as applies to
URL's.  The scripting language doesn't need to be and should be in the 
URL.

Some people may be stuck with nasty ISP's that require this sort of BS.  
If so, I'd suggest running the other way.

- One other thing a real ISP can do for you is remap your URLspace on the 
fly.  If you really love seeing .pl on the end of files there's still NO 
reason to expose this to the user.  Just rewrite the URL's on the fly.
You'll want to do this when you switch parts of your site from mod_perl to 
CGI and back.

Some people may call this merely a matter of taste, but when my personal 
tastes make my life as much easier as this there's something more to them 
than mere aesthetics.  :)

-- 
</chris>

No, no, you're not thinking, you're just being logical.
-Niels Bohr, physicist (1885-1962)


---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

Follow-Ups:
- Re: [cgiapp] Trying to understand how CGI::App works
  - From: Eric Moore

References:
- RE: [cgiapp] Trying to understand how CGI::App works
  - From: Bob Hicks

Prev by Date: Re: [cgiapp] Trying to understand how CGI::App works
Next by Date: Re: [cgiapp] Trying to understand how CGI::App works
Previous by thread: Re: [cgiapp] Trying to understand how CGI::App works
Next by thread: Re: [cgiapp] Trying to understand how CGI::App works
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.