Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

The Dangers of Cutting and Pasting Module Code

by tachyon (Chancellor)
on Aug 02, 2001 at 16:46 UTC ( [id://101629]=monkdiscuss: print w/replies, xml ) Need Help??

At this node Copying complete module code into a script monk Daddio wanted to paste module code into a script. merlyn replied pointing to no excuses about not using CGI.pm. This concerns me because at this node A serious security problem with CGI.pm 3.01? it is noted that it seems possible to generate a working CGI.pm with a broken $POST_MAX as this variable is no longer coded in the core CGI.pm code - it is in another module. This opens sites using this to denial of service attacks, and worse the problem appears silent.

With complex modules like CGI.pm 3.0 the core code exists not in one but several interlinked modules. While I am at a loss as to how you can generate the problem described (the fact that there are missing modules should be picked up) I am concerned that cutting and pasting modules may lead to code that works on the surface but has significant security or other issues.

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

  • Comment on The Dangers of Cutting and Pasting Module Code

Replies are listed 'Best First'.
Re: The Dangers of Cutting and Pasting Module Code
by bikeNomad (Priest) on Aug 02, 2001 at 17:49 UTC
    Barring a design flaw (like the use of a global variable in the CGI module(s) that should never have been visible in the first place), you're ordinarily OK. And Perl has the ability to require at least a particular version (and we recently had a discussion about how to require exactly a particular version) of a module.

    But you can't regard any program as being comprised of just what you wrote. Even if you don't include any modules explicitly, you're still dependent on the language, the way it's been configured and installed, and the rest of the environment. Are you going to guarantee that your program will work in the next version of Perl? You might have faith that it will, but you won't know until you've seen it do so on a variety of systems.

    It's not easy to make a non-trivial program that will work in everybody's system.

[reply]
Re: The Dangers of Cutting and Pasting Module Code
by Nitsuj (Hermit) on Aug 03, 2001 at 05:27 UTC
    While this is a valid concern, I think that anybody cutting and pasting code should know what that code does, as in read it and understand it prior to cutting and pasting. Anybody who suffers faults from cutting and pasting code at random only suffers because they didn't bother to read that code first. I think that this should serve as a lesson to people who use snippets, that they should read those snippets first.

    Just Another Perl Backpacker
[reply]

Back to Perl Monks Discussion

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: monkdiscuss [id://101629]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others avoiding work at the Monastery: (6)
As of 2024-04-23 13:45 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found