On Tue, 4 Mar 1997, Gause, Robert wrote:
> We are having discussions inside my company on whether it is appropriate or
> not to run Perl or Java CGI programs on an external web server. My personal
> preference is not to run either at the server and I am aware that Chapman &
> Zwicky warn against it.
>
> What are your opinions and experiences.
>
> Secondarily, any thoughts on serving Java apps (I am more open to this)?
The presumption is that you are going to have some CGI programs. IMHO,
Perl or some other interpreted language (with self sizing strings) is more
likely to be secure than C or C++ where people tend to write buffers a
lot.
Failing to have some language for CGI results in not being able to do
forms.
Between Perl and Java, I'd probably pick Perl. You are more likely to be
able to parse your input correctly and securely than in Java.
Best prctice, IMHO, is to shell out as little as possible in Perl, and to
use the constructs that avoid actually calling the shell to parse your
command line.
I frequently suggest that people have an independent code review done by
people who might understand a few of the issues. And structure - where
you do the authentication, and what you consider trusted vs. not trusted
may be more important than the language.
Is it "Net Surfing" or "Net Serfing"? - a slave of the net...
I went to a gentleman's cybercafe - and they offered me a 'laptop dance'.
Nick Simicich mailto:njs @
scifi .
squawk .
com or (last choice) mailto:njs @
us .
ibm .
com
http://scifi.squawk.com/njs.html -- Stop by and Light Up The World!
|
|
