Index: Webapps-Policy-Manual-DRAFT.sgml =================================================================== --- Webapps-Policy-Manual-DRAFT.sgml (revision 108) +++ Webapps-Policy-Manual-DRAFT.sgml (working copy) @@ -89,8 +89,8 @@ Where possible, this document will defer to these other policies: - - + + Terms and Conventions @@ -193,7 +193,7 @@ Other static data, and helper scripts that don't belong in users' paths A unique subdirectory of /usr/share/PACKAGE Persistent application data, Cached/regenerated application data, rrd, mrtg and other database files - See . + See . Site configuration (settings/passwords) /etc/PACKAGE Modifiable and overridable content @@ -301,13 +301,46 @@

If the web application needs a database to run properly, it must abide by the - . + . The maintainer is highly encouraged to use a common tool such as dbconfig-common to perform the database configuration. Please - see the for + see the for more information. + Security measurements +

+ PHP applications must not depend on + the "register_global" setting turned + on in Apache or other httpds. +

+ PHP applications should take extra + care not to use internal variables + before their initialisation, in case + "register_global" is turned on by the + administrator. +

+ Include files should not emit any + output, not even error messages, in + case they are executed directly or + exposed in a web-accessible directory. +

+ + Web-based applications should not + blindly trust any user-provided data. + Before emitting them, the data need to + be checked for cross-site scripting + attempts, i.e. HTML code needs to be + escaped. Input for databases need to + be checked against SQL-injection + attempts, i.e. quotes need to be + escaped. User-driven arguments to any + file or permission related functions + need to be checked against information + disclosure, i.e. input need to be + checked for ways to escape the + intended path on the filesystem. + Architecture independent scripts (Perl, PHP and others)

Scripts that shouldn't normally need to exist in the standard system path should @@ -322,6 +355,9 @@ interpretation via the web must exist in locations where their underlying source code can be directly retrieved. +

This may require to split upstream source + into two directories and adjusting the + include path or statements. Architecture dependant binaries

The policy for Architecture dependant binaries @@ -334,7 +370,7 @@ though this may become deprecated in the future.

Similar to Architecture-independent files, - if such files are intended to be executed via + if such files are not intended to be executed via the web, they must not exist in a location where they can be directly retrieved. @@ -362,7 +398,7 @@

Issues specific to the PHP programming language are covered in the - Document + Document Perl

@@ -393,13 +429,13 @@ should use the web server's implementation of an "alias" directive. For example, - in apache directive is named + in Apache the directive is named "Alias". For web servers that do not provide such a directive, the local administrator is responsible for placing symbolic links in the document root to make an - application web-accessible. + application accessible to web-users. Registering and unregistering an application with web servers

@@ -411,7 +447,7 @@ the target web server supports drop-in configuration via a configuration file directory (such - as the apache family of httpds' + as the Apache family of httpds' conf.d directories) or "include" configuration. In the case of the latter, standard Debian @@ -427,7 +463,8 @@ the package in question should instead provide the configuration as an example following standard - Debian documentation policy. + Debian .

Such configuration should only be performed during installation. During @@ -460,7 +497,7 @@ hosts: - The apache module mod_env can be used + The Apache module mod_env can be used to provide applications with information on where to find config files @@ -471,7 +508,7 @@ information to find what config file/script it should use - For php applications under apache, one + For PHP applications under Apache, one can use "php_value auto_prepend_file" to provide configuration scripts for the application