From owner-freebsd-security  Fri Nov 20 18:12:12 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA24617
          for freebsd-security-outgoing; Fri, 20 Nov 1998 18:12:12 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from xylan.com (postal.xylan.com [208.8.0.248])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA24611
          for <freebsd-security@FreeBSD.ORG>; Fri, 20 Nov 1998 18:12:09 -0800 (PST)
          (envelope-from wes@softweyr.com)
Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT]))
	id SAA10178; Fri, 20 Nov 1998 18:10:53 -0800 (PST)
Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB]))
	id SAA07792; Fri, 20 Nov 1998 18:10:52 -0800
Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL]))
	id TAA25444; Fri, 20 Nov 1998 19:10:51 -0700
Message-ID: <3656212A.DB67ADEA@softweyr.com>
Date: Fri, 20 Nov 1998 19:10:50 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 2.2.7-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Matthew Dillon <dillon@apollo.backplane.com>
CC: Jeroen Ruigrok/Asmodai <asmodai@wxs.nl>,
        Per Kristian Hove <perhov@phys.ntnu.no>, freebsd-security@FreeBSD.ORG,
        Andrew McNaughton <andrew@squiz.co.nz>
Subject: Re: pkhttpd (Was: Would this make FreeBSD more secure?)
References: <XFMail.981120210507.asmodai@wxs.nl> <199811210129.RAA19628@apollo.backplane.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Matthew Dillon wrote:
> 
>     If you don't use the fancier features it's fairly easy to write a web
>     server.  Writing a scaleable web server is a different matter, but even
>     so it isn't going to be all that big.
> 
>     A short list of optional features that you do not have to implement
>     include:
> 
>         byte serving (Range: header)
>         persistent connections
>         proxy functions
>         content matching
> 
>     Common features you should/must deal with properly:
> 
>         Handling missing trailing slashes properly (by returning a
>         redirect)
>         code 100 processing (if implementing HTTP/1.1)
>         Handling content-length, POST data
>         Handling If-modified-Since
>         Handling Authorization if you intend to password-protect
>         the system using authorization mechanisms.
>         Properly escaping input and output strings according to the spec.

Agreed, except for the persistent connections.  You really do need that
to work around some really bogus bugs in IE 4.0, and it's not that
hard to do.  Plus, it'll save your little embedded system a lot of work
setting up and taking down TCP connections on complicated pages.

-- 
             Where am I, and what am I doing in this handbasket?

Wes Peters                                                     +1.801.915.2061
Softweyr LLC                                                  wes@softweyr.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message