[langsec-discuss] Fwd: Langsec advice for implementing a website

Joshua Herman jherma8 at uic.edu
Thu Jun 14 13:24:31 UTC 2012


<Accidentlally kept on sending it with the wrong email address...>
Dear Meredith,
The dynamic routing in bottle.py can be specified by a regular
expression. I am using only the features that make the regex a regular
language and nothing that goes beyond that.  I have decided to
preprocess all data coming into the system
into a CSV format and then push it to the controller. The architecture
looks like this

HTML/CSS/JS  <--  CSV --> CONTROLER (FSM) --> APP

I have decided to have a death state in the controller. It will handle
malformed input with the following strategy.
1. Kill the current thread handling the request.
2. Send the user back to a login screen which is the initial state of
the system.
Thank you for the pointers. My professor (Robert Sloan) made us watch
your talk and it
was possibly one of the most fun we had in our languages and automata
class.
Note: I used my alternate email <zitterbewegung at gmail.com> by
accident. This email is a revised version of the previous one. And then
sent it to the wrong email address...
Sincerely,
Joshua Herman

On Tue, Jun 12, 2012 at 4:13 PM, Meredith L. Patterson
<clonearmy at gmail.com> wrote:
> On Tue, Jun 12, 2012 at 10:55 PM, Joshua Herman <jherma8 at uic.edu> wrote:
>> To all:
>> Hello, I just joined this email list and I am designing a website in
>> python with bottle.py. Due to my understanding of your talk I have
>> considered these design goals
>> 1. All templates are finite state machines. No embedded python code
>> can exist other than including other templates or simple conditionals.
>
> Will you be using bottle.py's templating engine, mako, jinja2, or
> something else? I haven't looked too closely at any templating engines
> other than Django's (which is actually Turing-complete,
> http://e6h.de/post/7/) but if you can enforce regularity on your
> templates, that's a good start.
>
> Note that conditionals + labels/GOTO is sufficient for
> Turing-completeness (it's why sed is Turing-complete), so be careful
> how you structure your includes/conditionals.
>
>> 2. Any routing by my controller is a regular expression that I design
>> to be regular.
>
> Can you expand on that a bit?
>
>> 3. State is managed through a controller. The controller can have a
>> FSM specification.
>
> Awesome. If you can specify it as an FSM, do it. Explicit state
> machines are a common way of writing embedded code and I wish more web
> applications used them.
>
> As far as other things to think about:
>
> * What sort of inputs does your site expect to receive from users?
> * What encodings do these inputs use? (JSON, XML, plain text, FASTA?)
> * How will your site recognise and respond to malformed inputs?
>
> Cheers,
> --mlp


More information about the langsec-discuss mailing list