Hi<br><br>On Thursday, January 30, 2014, Paul Gardiner <<a href="mailto:lists@glidos.net">lists@glidos.net</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 29 January 2014 19:06:22 GMT, Gary Buhrmaster <<a href="javascript:;" onclick="_e(event, 'cvml', 'gary.buhrmaster@gmail.com')">gary.buhrmaster@gmail.com</a>> wrote:<br>
>On Wed, Jan 29, 2014 at 6:55 PM, Jay Ashworth <<a href="javascript:;" onclick="_e(event, 'cvml', 'jra@baylink.com')">jra@baylink.com</a>> wrote:<br>
>....<br>
>> Does Myth *really* want to assume responsibility for public web<br>
>security?<br>
><br>
>Nope, and neither should the existing MythWeb PHP functions<br>
>(if you search carefully, you can find people who put MythWeb<br>
>on the 'net; you could delete all their recordings, and remove<br>
>all their rules, should one be appropriately so evilly inclined).<br>
<br>
I don't think that was the point Jay was making. If you take over port 80, then bugs can possibly open up a way to run arbitrary code on the server (albeit as mythbackend user). It's far worse than just the loss of some recordings. I'm now starting to wonder whether this new approach is a bad idea.<br>
<br>
I get the wish to avoid rewriting existing cpp code in php, but why not provide php veneers over the existing cpp. And surely the new way means providing our own versions of parts of apache.<br><br>
</blockquote><div><br></div><div>Why would you need to take over port 80?</div><div><br></div><div>That would be very inconvenient to start with. </div><div><br></div><div>You could listen on any port, in a similar fashion to tomcat. If you want integration in another web service such as apache (one that handle authentication and authorisation), then use something like mod_proxy or a connector like ajp. </div>
<div><br></div><div>I've been integrating web services like this for years and never had issues. </div><div><br></div><div>You don't even need to worry about encryption on the myth end. Instead have apache (or whatever else) handle that. The connection between Apache and the mythbackend server being sent in the clear. </div>
<div><br></div><div>My $0.02<span></span> </div>