Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Re: Awstats Perl security

by cLive ;-) (Prior)
on Nov 09, 2005 at 17:50 UTC ( [id://507153]=note: print w/replies, xml ) Need Help??


in reply to Awstats Perl security

It always amazes me when I see taint errors in very old and well used software. awstats caused us some real problems a while back.

The worst though has to be PHPbb. I'm still astounded that PHP let's you include a library from another server. The mind boggles...

Replies are listed 'Best First'.
Re^2: Awstats Perl security
by cowboy (Friar) on Nov 09, 2005 at 18:29 UTC
    You could easily include a library from another server in perl as well (maybe not as easily, but not very difficult with lwp/eval/require/do) This is not a problem with a language, but a problem with the developer knowing enough to be able to use it, but not knowing enough to know why they should not use it.

      No.

      PHP source files are basically webpages, so include is often used to manage template hierarchies. But these templates can contain code – and the function will happily fetch them from remote URLs. These factors play together to make very ordinary-looking code a potential minefield.

      In Perl, you’d use open, and you can’t give that a URL and have it work. Much less will it automatically cause code in loaded files to execute. require is very rarely used on user input and use practically never.

      So basically, in PHP, you only need to where code carelessly puts user input into file paths, whereas in Perl, you need to find a place where user input is used imprudently in an eval.

      I’d say the odds are significantly stacked against PHP in this matter.

      But, sure, once a developer has been bitten and knows to pay attention to this trap, it’s not that hard to protect against.

      Makeshifts last the longest.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://507153]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others meditating upon the Monastery: (4)
As of 2024-03-29 07:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found