FP Web

[Fairlight]

On Sun, Jul 07, 2019 at 07:37:23PM -0400, Jose Lerebours via Filepro-list thus spoke:
> Is the security concern with filePro back-end or the application
> written using said tool?

Yes.

Any data getting near SYSTEM is always a concern, and that has to do with
both the back-end binaries -and- injection.

> Per injections, well, that has nothing to do with the back-end
> binaries but with the way the programmer writes his/her code.  Of
> course, if fileProWeb does not provide means to sanitize data, we
> then have a totally different subject.

Not actually true, in the case of fpcgi 1.x and the default for 2.x.
The whole concept of putting the command-lines as hidden fields was
ill-conceived, to put it as politely as possible.  Even after they were
made aware of the ramifications, they only provided an alternative
server-side only methodology for 2.x, but kept the client-side methodology
as the default.  Allegedly for purposes of backwards compatibility.  I
don't even think the alternative was widely communicated.  So yes,
injections -were- an issue with fpcgi, just not in the conventional
SQL injection context.  Worse, honestly, since you could inject entire
arbitrary commands.  It was an issue even on Windows.  There were also
multiple different characters to use to trigger it.  They eventually fixed
it, but that was -not- a good demonstration of security awareness.

Then there was the makedir suid root hidden-password bypass at a system
level, if you had any system shell access and could access the path to the
binary.  Don't start me.

> I know one thing, if fileProWeb delivers, OneGate, fpWeb and the
> likes of me that write mostly WWW based application are gonna feel

fpWeb is more of a concept than a product, in several people's opinions.
I'm not even sure Howie is supporting it or selling docs to it any longer.
My impression was that he's not, but I could be mistaken.

I'm not actually horribly worried for OneGate.  It stands on its own
merits, and it's a proven solution.  The v5.x improvements surrounding
templating and includes/substitutions made it about as painless as one
can considering the back-end and general architecture.  It was a huge
improvement over the old html2prc methodology, especially in terms of
document structure update deployments.

There are only -two- things that fP Tech could do which would remotely
concern me, and I'm 99.999% sure they haven't done them, because I don't
think they -want- to do them, despite both being the most powerful and
best possible things they could do for everyone, themselves included.  I
considered doing one of them myself, but decided that I didn't have the
time or energy to do it on spec.  If someone paid me to do it, that would
be another story, but I'm done working on new coding projects on spec in my
free time for the foreseeable future.

> it - In truth, I have not done much filePro development for awhile
> but if fileProWeb can bring my existing application to life with no
> or minimal code re-writing, I just may invest some $$$ (or burn it
> as I have a couple of times).

It's not worth it, in my opinion.  Not when you can invest in something
like Delphi, couple couple it with multiple RDBMS solutions, and run on any
platform (including mobile) for under $10k, with no runtime license costs.
Better data storage engines, better OS agnosticism and pixel-perfect
platform support, full GUI, better ROI due to cost-effective licensing,
better UI possibilities...  The list goes on at some length.  I actually
almost got into Delphi a year and a half ago.  I decided I didn't have the
time or patience to do it on my own dime.  The expense in wasn't the issue.
I had a deal lined up with them whereby I would have gotten a perpetual
Delphi license for free if I paid for three years' support up-front,
cheaper than the actual license is list, no less.  I was about an hour away
from pulling the trigger on it, it was so attractive.  I just checked my
energy levels at the last minute, and decided I wanted to do other, more
enjoyable things with my limited free time than learn another programming
language.  If I'm going to learn another full language at this stage in
life, it's going to be on someone else's dime.  I have a -list- of hobbies
with higher priority for use of my recreational time Ä enough for three
lifetimes.

The point remains that I think buying into something like Delphi would be a
far, far saner move than anything one could do with filePro.  Maybe not
even specifically Delphi, although it's a very strong contender.  

There are only two moves fP Tech could make which would be viable in my
opinion, in the face of such competition and the current marketplace.  I'm
five-nines certain they'll never execute either before the rest of the
community is retired or deceased.  Actually, I believe one of the two was
supposed to have been a project at one point, but I think it was shelved,
or simply fall off the radar...around a decade ago.

> Notice that I have not even been involved with this list for a
> couple of years but this interests me enough to pay attention and
> read/write a few comments (or books like this one).

I find it interesting in the same way I find WWE 'wrestling' interesting.
It's mildly entertaining for a few minutes, but almost impossible for me to
take seriously.  What is downright entertaining is watching them attempt to
take the BlizzCon approach for launching something.  That's "break out the
popcorn" territory, right there.  Extra butter, please.

m->
-- 
Audio panton, cogito singularis.