[nycphp-talk] escapeshellcmd stupidity?
ashaw at polymerdb.org
Sat Jan 3 08:09:02 EST 2009
Ajai Khattri wrote:
> On Fri, 2 Jan 2009, Allen Shaw wrote:
>> Basic auth seems enough to protect my todo list from abuse
> Unless you're using HTTPS, that security is not sufficient since your
> password will be sent as clear text across an open network...
Agreed. I should have worded it more clearly: Basic auth over http seems
"secure enough" to protect my todo list from abuse, considering its
relative value to me. However, given the inherent limitations of basic
auth over a non-encrypted connection, the stakes get considerably higher
when we consider that I'm accepting shell script arguments over the web
-- poor security could easily lead to arbitrary code being passed to the
shell by anyone who cares enough to sniff out the basic auth credentials.
Basic auth will prevent the casual drifter from writing graffiti on my
todo list. To prevent real damage to the server itself, I'm relying on
the script to police the input. Bad idea?
More information about the talk