Additional security considerations mentioned in user manual.

pull/7/head
Ferry Boender 8 years ago
parent c00d308fef
commit 803420289a
  1. 14
      doc/MANUAL.md

@ -1307,6 +1307,14 @@ There are a few security issues to take into consideration when deploying Script
- Scriptform logs the invocation of scripts and variables to the log file for - Scriptform logs the invocation of scripts and variables to the log file for
auditing purposes. auditing purposes.
- Scriptform is not meant to be served to the public internet. **You should - Although Scriptform is written to be secure, it not meant to be served to
only use it in controlled environments where a certain level of trust is the public internet. **You should only use it in controlled environments
placed in the users!** where a certain level of trust is placed in the users!**. The reason for
this is because it's really easy to make mistakes in validating input in
the shell scripts called by Scriptform.
- Although Scriptform validates form fields, it does little to protect against
things such as shell expansion attacks and such. You should validate your
input, even (and perhaps most importantly) in shell scripts. If you're
worried about security, you may want to write your backend scripts in a
proper language such as Perl or Python.

Loading…
Cancel
Save