Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

(ichimunki) Re: Security Rant

by ichimunki (Priest)
on Dec 05, 2001 at 03:45 UTC ( [id://129481]=note: print w/replies, xml ) Need Help??


in reply to (OT) Security Rant

I have a bone to pick here. This "rant" is not Off-Topic (OT) as stated in the title. It is a mantra more important than use strict!

Perl is probably (and I'm completely guessing here, but I like to think it's an educated guess) the 2nd most likely programming language to be involved in a potential security incident (C being the first, since so many services are written in that-- and I'm trying not to think about Outlook right now). Not because the language Perl itself is weak or rife with holes, but because it is commonly used in situations where there is world-wide exposure for the resulting executable-- CGI scripts on the web. And web programming is deceptively simple seeming. Add a print "content-type: html/text\n\n" to your script and suddenly it's a CGI script.

But the paradigm shift from writing scripts for a trusted client in a secure environment (that is, the user probably doesn't want to trash their own box, so while we might verify their input makes sense we probably won't check it for interesting hacks related to piping dangerous commands to the shell) to writing scripts for a hostile environment is almost never covered well in "Quick Easy Perl Web Mastery" books, because that wouldn't be, well, quick or easy to master.

As long as you have the energy, please never feel it's off-topic or inappropriate to bring up security issues. :)

Replies are listed 'Best First'.
Re:Re: Security Rant
by strfry() (Monk) on Dec 05, 2001 at 04:38 UTC

    i agree wholeheartedly (especially about it not being off-topic); we've all seen how perfectly capable Perl is as a programming language - and that itself has a few caveats, if a user doesn't know what they're doing when they make their favorite script suid root. While I know this is a very basic example, it still stands that some of us (IMHO all of us) could benefit from more talk of ways to keep Perl scripts and applications secure. As far as I've seen, Perl/Apache (be it mod_perl or vanilla CGI) is the most common CGI language/server combination on the web (well, according to apache - they've got a figure of around 56% floating on their website)

    and users would do well to remember what happens when Quick and Easy programs don't stay quick and easy. Sometimes, they'll actually be used by other people, and built upon... maybe even be the basis of more widely used applications. Eventually, with poor design, and a little rum involved, they sometimes grow to be a web-based SNAFU [tm] of incredible size.
    (where i work, when we integrate our software with other companies e-commerce solutions, it's frightening how often I see 'unpatched' formmail.pl / formmail.cgi in their cgi-bins!)

    in a nutshell, i feel pretty darn lucky to be able to code in something that keeps track of it's own memory, doesn't require me to do type definitions, and gives me simple, intelligent ways to handle text; Perl is great if you're lazy. but it won't keep you from falling on your face if you don't watch where you put your feet.
    in a smaller nutshell, use strict;, use warnings;, use the  -T switch, and watch your step. (:

    --
    Peace,
    strfry{}
[reply]
[d/l]
[select]

In Section Meditations

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://129481]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others chanting in the Monastery: (2)
As of 2024-04-20 04:21 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found