Any processing time is negligible and the security benefits are great. Since
the include file is unlikely to process correctly from the start an error is
returned before much processing has occurred. The result is I haven't seen
any additional overhead.

Scott

> On Tue, 9 Jul 2002, Andrew van der Stock wrote:
>
> Kevin,
>
> It is important to reinforce the lesson of "As long as the include file
> is not of a type that can be returned in plaintext to the server" bit of
> your mail. I see it all the time during my code reviews, and it's never
> a good thing.
>
> On IIS using ASP pages (not JSP's), it's good security administration
> practice to make sure all include files have a registered filetype
> handled by the ASP dll's.
>
> For example:
>
> <%
>
> include 'blah.inc'
>
> will probably allow an attacker to retrieve the source for blah.inc.
>
> If you rename 'blah.inc' to 'blah.asp', the source is processed by the
> ASP dll before being handed off to the requestor. There is no downside
> to this preferred behavior.
>
> Andrew
>
No downside? What about additional processing overhead on the server?

Al.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]