GeneWeb

To webmasters - Security in GeneWeb



When installing a software in a computer, security issues have importance. If you want to install GeneWeb as server or as CGI, you probably want to know if it is not going to perturbate your computer, or, worse, if it is not a possible entry for viruses, undesired intrusion or access to computer private information.

Of course, I am just a human being and it is always possible that there are bugs causing security holes through GeneWeb.

However, I paid some special attention to this aspect. There are three directories which are accessed:

Normally, no other directories are accessed. In read and in write, there is no way to access other directories than the ones defined by -hd, -dd or -bd. In the requests holding file names, the file name cannot not start with "/" or "./" or "../". If it does, either the request is refused, or only the

For example, if a request is created "by hand" to hold directories, it is either refused, or the file part in only selected: the request holding "/etc/passwd" or "../../../etc/passwd" would be transformed into "passwd" relative to the GeneWeb directories.

Morever, the language used, Ocaml, is a very serious and solid programming language. Attempts to divert a program from its initial destination by overflowing arrays, accessing bad pointers or uninitialized variables is impossible: in Ocaml all array accesses are checked, there are no pointers and there is no notion of unitialized variables (variables are created by a value assignment). I mean: Ocaml is not C...

Ocaml is a compiled language (= not interpreted): there is no way to execute programs by other ways than explicitely calling them in the code. And the program gwd never calls other programs.

Return Directions for Use.


© Copyright INRIA 1999 - GeneWeb