[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index][Top&Search][Original]

Re: [ID 19991230.004] Phrack finds a major perl bug

From: "Matthias Urlichs" <smurf@noris.net>
To: ap296@torfree.net
Cc: Chip Salzenberg <chip@valinux.com>, Russ Allbery <rra@stanford.edu>, perl5-porters@perl.org
Date: Fri, 7 Jan 2000 00:26:09 +0100
Message-ID: <20000107002609.A15129@noris.de>

Hi,

ap296@torfree.net:
> >So that should be our primary reply to the reporter of the "bug".
> 
> With all of the flames in this thread. I don't know if your last statement
> is suppose to be funny or has honest intentions. :/
> 
It's not Perl's fault that Perl defaults to "strings may contain \0
characters", unlike C which defaults to "strings may not contain \0
unless you explicitly carry the length around", or some others where not
even that is possible.

It's the programmer's job to make sure that file names from external
sources are properly filtered. Perl's taint checks are supremely useful
for doing this.

One can write programs that are a security nightmare in any language.
Secure programs need care and forethought. Perl's tainting (among other
features) actually helps with the "care" part (in fact, I don't know any
other language which does this). It's therefore not very useful to single
out Perl's "security problems".

-- 
Matthias Urlichs  |  noris network GmbH   |   smurf@noris.de  |  ICQ: 20193661
The quote was selected randomly. Really.    |      http://www.noris.de/~smurf/
-- 
"Batton down the hatches, several thousand Zulus approaching from the north."
	-- Christopher Commision report of LAPD car-to-car computer message, 7/91

Follow-Ups from:: Russ Allbery <rra@stanford.edu>

References to:: ap296@torfree.net

[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index][Top&Search][Original]