| Security | ||||||||||
|
RSS feedThis page explains details about the security mechanisms of the OpenACS platform. For an overview of the general security strategy please check here.
OpenACS is based on the scripting language TCL. "Scripting" languages completely avoid the "buffer overflows" vulnerabilites that make up the vast majority of all Internet security holes. This is because the management of buffers is handled by the system and outside of the control of the programmer. So programmer mistakes cannot cause buffer overflows.
ad_page_contract {
Save the changes after modifying an
existing absence record.
@param absence_id Business object ID
@param owner_id Absence initiator
@param start_date Absence start
@param end_date Absence end
@param description Description of absence
@param return_url Where to return?
} {
{absence_id:integer 0}
owner_id:integer,notnull
start_date:date,notnull
end_date:date,notnull
description:trim,html,notnull
{return_url "/intranet-timesheet/absences/"}
} |
| A sample page contract. For example "absence_id" needs to be an integer number. It defaults to "0" if no value is explicitely specified. "Description" is explicitely allowed to contain HTML tags, while it is prohibited for all other variables by default. |
A "page contract" is a formal description of the input variables of an application page, similar to the procedure or method header in a procedural programming language.
The reason for page contracts is that every application page is exposed to a "hostile environment" (the Internet). Every input parameters could be manipulated by malitious users. So it is important to check the type in a comfortable way for the developers.
select * from users where user_id = $user_id; |
| An "innocent" SQL statement that retreives information about a specific user. |
Another frequent source of security holes in Internet applications are variables values that are included in SQL statements. Such variables can be altered by a malicious user to contain additional SQL statements in order to extract information from the DB or to caus damage.
user_id = "0; delete from users cascade" select * from users where user_id = :user_id; |
| The ":" SQL variable instead the "$" TCL variable takes the variable value as a whole. The database would respond with a "bad number" error message or similar. |
As a solution, OpenACS provides "SQL Variables" that are evaluated by the database driver. This way, the variable value is taken as a whole, effectively avoiding this type of vulnerability.
The compliance of the code with this standard can be checked semiautomatically using a Perl script or something similar.
