Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Re: Re^4: Dangerous diamonds! (races)

by sauoq (Abbot)
on May 22, 2003 at 08:12 UTC ( #260004=note: print w/ replies, xml ) Need Help??


in reply to Re^4: Dangerous diamonds! (races)
in thread Dangerous diamonds!

I never said "Perl is a poor tool". I suppose I could have been more precise and said something awkward

I realized what you intended to say after I responded to it. That's why I added the footnote. You stated it well enough; the confusion was mine. I'm sorry I didn't take the time to reword my response there.

I consider the feature of executing filenames to be a pathetic feature.

I do agree. I just don't think that the implications are all that serious in reality. From a theoretical standpoint, it's friggin' terrible. But once you take into account how systems are really used, the impact is minimal because it is so impractical to exploit.

I don't think such needs to induce panic.

I guess big nouns don't always make for eloquent speech either. Like I said, I do advocate education. I'd prefer a "using perl -ne as root has some security implications you should be aware of" to an absolutist "don't do it" approach though.

2-argument open just doesn't bother me near as much.

Really? Now see, that one bothers me a lot more. And for a very simple reason: it has resulted in many more actual serious security vulnerabilities. In theory, it might be less egregious but in practice it has been improperly used by scads of casual programmers who have unwittingly written innumerable remote exploits. And they continue to do so. That's a problem that won't go away until two-argument open does (or is fixed.)

-sauoq
"My two cents aren't worth a dime.";


Comment on Re: Re^4: Dangerous diamonds! (races)
Re^6: Dangerous diamonds! (races)
by tye (Cardinal) on May 22, 2003 at 14:57 UTC
    scads of casual programmers who have unwittingly written innumerable remote exploits

    Very good point.

    Part of why <> upsets me more is that the fix is obvious to me and I'm galled by people claiming that it isn't a problem and can't be fixed. My preference would be to immediately change the default behavior under the theory that it fixes more (by far) existing code than it breaks.

    I also see real usefulness in the magical, 2-argument open. Which makes it harder for me to see how to fix the problems with it. And I try not to get upset over complex problems that I don't see clear, non-trade-off solutions for. There are just way too many of those in the world and I prefer not to spend so much of my time being upset.

    But I can certainly appreciate where you are coming from now. (:

                    - tye

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://260004]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (8)
As of 2014-11-28 22:03 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My preferred Perl binaries come from:














    Results (200 votes), past polls