From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,
	PP_MIME_FAKE_ASCII_TEXT autolearn=no autolearn_force=no version=3.4.4
Path: 
 eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!news.stack.nl!reality.xs3.de!news.jacob-sparre.dk!loke.jacob-sparre.dk!pnx.dk!.POSTED!not-for-mail
From: "Randy Brukardt" <randy@rrsoftware.com>
Newsgroups: comp.lang.ada
Subject: Re: Web Development Using Ada?
Date: Mon, 5 Aug 2013 23:43:24 -0500
Organization: Jacob Sparre Andersen Research & Innovation
Message-ID: <ktputc$fih$1@loke.gir.dk>
References: <874bf843-8212-44a4-b0c6-e20d831325bc@googlegroups.com>
 <kt119m$hln$2@dont-email.me> <kt21mn$osm$1@loke.gir.dk>
 <op.w0w1zhgxule2fv@cardamome>
NNTP-Posting-Host: static-69-95-181-76.mad.choiceone.net
X-Trace: loke.gir.dk 1375764205 15953 69.95.181.76 (6 Aug 2013 04:43:25 GMT)
X-Complaints-To: news@jacob-sparre.dk
NNTP-Posting-Date: Tue, 6 Aug 2013 04:43:25 +0000 (UTC)
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
X-RFC2646: Format=Flowed; Response
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Xref: news.eternal-september.org comp.lang.ada:16683
Date: 2013-08-05T23:43:24-05:00
List-Id: <comp.lang.ada>

"Yannick Duchêne (Hibou57)" <yannick_duchene@yahoo.fr> wrote in message 
news:op.w0w1zhgxule2fv@cardamome...
Le Sun, 28 Jul 2013 05:03:51 +0200, Randy Brukardt <randy@rrsoftware.com>
a écrit:
>> OTOH, if you execute a shell, if an attacker can find a way to pass
>> information to that shell, they might be able to do anything. Apache has
>> fixed many such bugs. It's better if there are no shell outs. It's even
>> better if the capability to do shell outs isn't even in the code (since 
>> some
>> attacks require executing existing code in unusual ways - if the process
>> doesn't have any code that can shell out, such attacks can't shell out
>> either).
>
>What's "shell out" in this context? A server or anything responding to a 
>request, has no reasons to have any connexions to the shell.

Anything that requires executing another piece of code (for instance, 
launching a Python interpreter to execute Python code). If one keeps the 
entire server in Ada, then the capability of launching another program is 
not even in the code, making attacks via return modification impossible (and 
these are the attacks which get around techniques to prevent code injection, 
such as DEP on Windows).

                                  Randy.


-- 
"Syntactic sugar causes cancer of the semi-colons." [1]
"Structured Programming supports the law of the excluded muddle." [1]
[1]: Epigrams on Programming - Alan J. - P. Yale University