Re: Fixing stupid PHP application design flaws

To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Cc: joey@debian.org, Debian Security <debian-security@lists.debian.org>
Subject: Re: Fixing stupid PHP application design flaws
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Sat, 30 Apr 2005 10:55:34 +0200
Message-id: <[🔎] 20050430085533.GA31688@dat.etsit.upm.es>
In-reply-to: <[🔎] 20050428134548.GJ2785@A-Eskwadraat.nl>
References: <[🔎] 20050428131508.GQ7744@finlandia.infodrom.north.de> <[🔎] 20050428134548.GJ2785@A-Eskwadraat.nl>

On Thu, Apr 28, 2005 at 03:45:48PM +0200, Jeroen van Wolffelaar wrote:
> It'd be wise for those projects to take the extra precaution by allowing
> (and the Debian maintainer to do so) include files outside the web root,
> but to DSA for such a thing when there might not even be a vulnerability
> at all, seems premature to me. It'd be like fixing all uses of sprintf
> because the programmer could have used snprintf to be more sure there is
> no problem.

That's proactive security to me, and should be done (maybe not through a
DSA, but before the package is released). E.g.: OpenBSD. There is no easy
way to demonstrate that "there is no problem", and maybe there is one, but
nobody noticed, its safer to just purge those unsafe functions anyway.

Regards

Javier

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Fixing stupid PHP application design flaws
  - From: Martin Schulze <joey@infodrom.org>
- Re: Fixing stupid PHP application design flaws
  - From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

Prev by Date: Re: Fixing stupid PHP application design flaws
Next by Date: Hey remember i told you about this Madeleine
Previous by thread: Re: Fixing stupid PHP application design flaws
Next by thread: Re: Fixing stupid PHP application design flaws
Index(es):
- Date
- Thread