Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re^2: Attack on Perl or Perl's need better PR (again)

by wazoox (Prior)
on Nov 30, 2005 at 17:29 UTC ( [id://513010]=note: print w/replies, xml ) Need Help??


in reply to Re: Attack on Perl or Perl's need better PR (again)
in thread Attack on Perl or Perl's need better PR (again)

By the way, I'd want to mention that webmin is a useful tool, and it's written in perl4 style for somewhat good reasons :
  1. because it was first written a long time ago when perl4 was de facto standard.
  2. because it's supposed to run on operating systems that may provide only perl4 as default (many proprietary Unixen did until recently or perhaps still do even today)
  3. because rewriting it entirely using taint mode and separate privileges would be a huge work and will break compatibility for gazillions of existing modules in the wilderness.

    However, the real fault would belong to the administrator who'd leave an accessible webmin server on the web ! I wouldn't dare, even a secured, perl5 tainted webmin...

Replies are listed 'Best First'.
Re^3: Attack on Perl or Perl's need better PR (again)
by rinceWind (Monsignor) on Nov 30, 2005 at 17:45 UTC
    because it's supposed to run on operating systems that may provide only perl4 as default (many proprietary Unixen did until recently or perhaps still do even today)

    You may be right, but I would be interested in your listing any platform or distribution that ships a perl earlier than 5.6.1.

    Anyway, that's no excuse for the people who develop and maintain Webmin not to produce a secure version, with -T and best current practices. If such is being shipped as a package it should be made dependent on a recent perl package.

    However, the real fault would belong to the administrator who'd leave an accessible webmin server on the web ! I wouldn't dare, even a secured, perl5 tainted webmin...

    Depends what you mean by leave accessible. Would you entertain having the app available htpassword protected? You could always set it up so that alarm bells are rung if it gets invoked unexpectedly.

    --

    Oh Lord, won’t you burn me a Knoppix CD ?
    My friends all rate Windows, I must disagree.
    Your powers of persuasion will set them all free,
    So oh Lord, won’t you burn me a Knoppix CD ?
    (Missquoting Janis Joplin)

      Just wanted to point out that even though I agree that there are probably very very very few (or none) unixen that ship today with perl4 as the standard perl, there are lots of them that have in the past. And while it's easy for us to tell someone who uses an old unix box to upgrade, it's not always easy for them to do so.

        Once there is a reasonably secure and robust webmin, someone should build a multi-architecture PAR distribution for the platforms where it is needed. This will save the admins from needing to upgrade perl.

        --

        Oh Lord, won’t you burn me a Knoppix CD ?
        My friends all rate Windows, I must disagree.
        Your powers of persuasion will set them all free,
        So oh Lord, won’t you burn me a Knoppix CD ?
        (Missquoting Janis Joplin)

      You may be right, but I would be interested in your listing any platform or distribution that ships a perl earlier than 5.6.1.

      Well, let's have a try :)

      nox 3% uname -aR
      IRIX nox 6.5 6.5.22m 10070055 IP22
      nox 4% perl -v
      
      This is perl, version 5.004_05 built for irix-n32
      (with 1 registered patch, see perl -V for more detail)
      

      Solaris ships decent perl versions,but I don't know for AIX, Tru64 and HP/UX.

        Newer AIX (5.1+) and HP-UX (11i+) both ship with 5.8 available. (HP-UX standard install may still come with perl4 installed, but 5.8 is there as an option now, iirc)

        C.

        Tru64 version 5.1a:

        $ perl -v
        
        This is perl, v5.6.0 built for alpha-dec_osf
        
        

        Tru64 version 5.1b:

        $ perl -v
        
        This is perl, v5.8.0 built for alpha-dec_osf
        
        
      I thought it was still fairly standard to ship 5.005_03 as the standard interpreter. That's from being on a handful of Sun and BSD boxes. I still think its pretty strange that my Linux actually comes with a 5.8.
        5.005_03 shipped with Solaris 8. Solaris 9 shipped with 5.6.1 and 5.005_03, the latter for compatibility reasons. Solaris 10 ships with 5.8.x, for some version of x, and 5.6.1. Solaris 11 will ship with whatever is the current Perl version when the cut is made, and with the version that shipped with Solaris 10.
        Perl --((8:>*
Re^3: Attack on Perl or Perl's need better PR (again)
by sanPerl (Friar) on Dec 01, 2005 at 08:15 UTC
        because rewriting it entirely using taint mode and separate privileges would be a huge work and will break compatibility for gazillions of existing modules in the wilderness.
    I think it makes sense to re-write the entire code, if they won't do it today then anyway they will have to do it tomorrow

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://513010]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others lurking in the Monastery: (4)
As of 2024-03-28 23:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found