NYCPHP Meetup

[nycphp-talk] escapeshellcmd stupidity?

Allen Shaw ashaw at polymerdb.org
Sat Jan 3 08:09:02 EST 2009


Ajai Khattri wrote:
> On Fri, 2 Jan 2009, Allen Shaw wrote:
>   
>> Basic auth seems enough to protect my todo list from abuse
>>     
> Unless you're using HTTPS, that security is not sufficient since your 
> password will be sent as clear text across an open network...
>   
Agreed. I should have worded it more clearly: Basic auth over http seems 
"secure enough" to protect my todo list from abuse, considering its 
relative value to me. However, given the inherent limitations of basic 
auth over a non-encrypted connection, the stakes get considerably higher 
when we consider that I'm accepting shell script arguments over the web 
-- poor security could easily lead to arbitrary code being passed to the 
shell by anyone who cares enough to sniff out the basic auth credentials.

Basic auth will prevent the casual drifter from writing graffiti on my 
todo list. To prevent real damage to the server itself, I'm relying on 
the script to police the input. Bad idea?

- A.

-- 
Allen Shaw
slidePresenter (http://slides.sourceforge.net)




More information about the talk mailing list