"just regular dictionaries, in Perl they are called hashes" ... and that, dear readers, is the point at which I'd either leave, open a book or start a game on my tablet or notebook.

Nowadays anyone can call himself a "researcher" and give speeches.

Nowadays anyone can call himself a "researcher" and give speeches

So it seems. Googling for "Netanel Rubin" does not show any evidence of Perl (or Python for that matter) expertise. At least, I couldn't find any substantial code written by this guy. BTW, that is in stark contrast to Felix von Leitner (Fefe), who clearly is an accomplished programmer with lots of runs on the board. I couldn't find any runs on the board for Netanel and, in his first talk, I'm afraid he didn't score any.

What I found offensive was his crude use of propaganda in the camel images accompanying the slides, and in the talk itself. At the start of the talk, for example, after acknowledging that this is his first talk, he urges the audience to say "F*** Perl". Breathtaking. Did his company really give permission to deliver such a vulgar talk?

Update:

• reddit discussion of Perl Jam talk in which Netanel Rubin replies that he is not a "Pythonista" (I see no evidence that he is an accomplished programmer in any language) and, embarrassingly, continues to display his ignorance of modern Perl, for which he is taken to task as "a complete novice who never even bothered to learn the language, and is instead relying on popular culture definitions of the language they heard from their equally ignorant peers". Other responses: "the idea that you expect foo($scalar, @array) to be called as if @array were an array reference is just nonsense ... that you showed those slides that claimed that that behavior was unexpected is the very definition of a straw man argument" and "Your argument is incoherent, reflects a misunderstanding of the nature of technical debt and the constraints of project maintenance with limited developer time, and is just about valid as an attack on Perl-as-of-2001 but makes no sense as a complaint against Perl-as-of-2014".
• Bugzilla bug report in which Checkpoint are taken to task for disclosing the vulnerability to the media before Bugzilla had a chance to fix it and for exaggerating the severity of this vulnerability.

> Breathtaking. Did his company really give permission to deliver such a vulgar talk?

It's an Israeli company, the military has such a strong influence on formation in this society that being offensive (for European standards) is considered a virtue.

I have many friends who came back (often after visiting family) and complained about the "lack of good manners"².

See also Getting behind Israeli 'frankness' ¹

IOW many don't shy away to risk talking bullshit, they expect you to talk back and give them reasons to shut up.

In this sense, Mr Rubin yes you are a prick who didn't do his homework and this unprofessional talk will backfire on you! :)

Cheers Rolf

_{(addicted to the Perl Programming Language and ☆☆☆☆ :)}

¹) Though after reading this blog Are Israeli rude I see Central Europeans somehow in the middle between Israeli rudeness and American "passive aggressiveness" ... of course well balanced! ;D

²) politely phrased (pun intended ;)

update

see also Haaretz # Can Israelis learn to have better manners?

At the start of the talk, for example, after acknowledging that this is his first talk, he urges the audience to say "F*** Perl". Breathtaking. Did his company really give permission to deliver such a vulgar talk?

I think guy was inspired by Eran Hammer's talk about OAuth ;) As for company's permission, from marketing point of view it is most important to be talked about, and a bit of vulgarity and strong statements help to achieve this goal, no matter if they are correct or wrong as long as they are resonate with the target audience, so sure, why not.

> just regular dictionaries, in Perl they are called hashes

I browsed thru the pdf and yes it seems pretty obvious at more than 3 slides that he is blaming Perl for not being Python. ¹

Hail Python!°

Cheers Rolf

_{(addicted t (o the Perl Programming Language and ☆☆☆☆ :)}

°) Re^2: I want you to convince me to learn Perl

update

¹) for those unaware dict(ionary) is very much a Python term for associative arrays

And it seems Python is the only language he's somewhat proficient in and even that is a big black box to him. A script kiddie preaching to other script kiddies.

Jenda
Enoch was right!
Enjoy the last years of Rome.

How embarrasing for Netanel Rubin to embarrass himself and checkpoint.com like that

http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/

Its amazing the amount of people that blame others for not reading the docs

But you know whats even more amazing? They patched CGI.pm to warn about this

    # list context can be dangerous so warn:
    # http://blog.gerv.net/2014.10/new-class-of-vulnerability-in-perl-
+web-applications
    if ( wantarray && $LIST_CONTEXT_WARN ) {
        my ( $package, $filename, $line ) = caller;
        if ( $package ne 'CGI' ) {
            warn "CGI::param called in list context from package $pack
+age line $line, this can lead to vulnerabilities. "
                . 'See the warning in "Fetching the value or values of
+ a single named parameter"';
        }
    }
[download]

Whatever you thought about CGI.pm before, its about to get real stupid, its breaking backwards compatibility... that was like the only good thing left about it

Bugs being addressed that fast is another reason for not to stop using such a bizarre language.

perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'

You contradict yourself. You say the talk is embarrassing (and it is), that it's amazing that CGI.pm was patched to warn about this; then you complain that CGI.pm is "about to get real stupid" by breaking backwards compatibility. Do you not see the contradiction? Sometimes we have to break backwards compatibility to fix issues like this, and the "real stupid" thing is to turn a blind eye and say "well, it's legacy code so fuck it". Doing *that* gives Netanel Rubin, et al, even more fuel for their FUD.

The fix highlighted in your post only breaks back compatibility for those with fatal warnings enabled - arguably those users with fatal warnings enabled are the most concerned about problems like these. As i've previously stated - v4 releases of CGI.pm will be back compatible (as much as can be when issues like this arise). v5 and beyond *may* not be. CGI.pm is no longer core and Lincoln has trusted me to DTRT. Regarding the v5 releases: "I am altering the deal, pray I don’t alter it any further."

You say ... that it's amazing

I'm fairly certain that what the other anon meant is "<sarcasm>amazing</sarcasm>", in which case he/she isn't contradicting him/herself.

The fix highlighted in your post only breaks back compatibility for those with fatal warnings enabled

No, at least not as of 4.13; the warning is unconditional and not fatal:

$ perl -MCGI -sE 'say $CGI::VERSION'
4.13
$ perl -MCGI -E 'no warnings; my $x=CGI->new; $,=", ";
  say $x->param("x"); say "didnt die"' -- x=foo x=bar
CGI::param called in list context from package main line 1, this can l
+ead to vulnerabilities. See the warning in "Fetching the value or val
+ues of a single named parameter" at /opt/perl5.20/lib/site_perl/5.20.
+0/CGI.pm line 437.
foo, bar
didnt die
$ perl -MCGI -E 'use warnings; my $x=CGI->new; $,=", ";
  say $x->param("x"); say "didnt die"' -- x=foo x=bar
CGI::param called in list context from package main line 1, ...
foo, bar
didnt die
$ perl -MCGI -E 'use warnings FATAL=>"all"; my $x=CGI->new;
  $,=", "; say $x->param("x"); say "didnt die"' -- x=foo x=bar
CGI::param called in list context from package main line 1, ...
foo, bar
didnt die
[download]

Assuming you're the current maintainer: if you want warnings that the user of CGI can enable, disable and make fatal themselves, you should be using warnings::warnif() with warnings::register instead of warn.

BTW, 4.13 is showing up on search.cpan.org as an unauthorized release.

You contradict yourself. You say...it's amazing that CGI.pm was patched...

Definitions/usages of amazing include the notion of being "struck with some degree of horror". I see no contradiction.

Here is a bug report for you, common pitfall

 $ perl -MCGI=escapeHTML -le " print escapeHTML(qw/ < < < / ) "
&lt;
[download]

Also, why not warn about html shortcuts getting used?

Also, another pitfall you might be able to warn about in some cases, mixing exported param() with CGI->new ?

Also, why not warn about header_printed ? (you already printed headers, second time doesn't count)

And big one, warn about anyone using using ReadParse/->Vars

:)

Seem odd to have to force scalar context to get a single_value .. there should be a function for that

sub CGI::first_param { return my( $first ) = param( @_ ); }
sub CGI::last_param  { return my  $last    = param( @_ ); }
[download]

http://www.daemon.de/blog/2014/12/30/383/re-perl-jam-exploiting-20-year-old-vulnerability-31c3/, http://events.ccc.de/congress/2014/Fahrplan/system/attachments/2542/original/the-perl-jam-netanel-rubin-31c3.pdf

And, more sadness, Fefe called it brilliant.

As for his programming pedigree, he seems to be a grandmaster of Security, Linux, embedded systems, and the C programming language. In terms of programming languages, I don't see much experience except for C. In particular, I don't see much experience in Python or Ruby either, so I doubt his opinion on this talk was in an area of his expertise.

At least he knows how to write Perl though, having a fleitner CPAN account, and being the proud author of two CPAN distributions, Mirror-1.0 and WebMirror-1.0, though these two have not been updated since 1996.

Updated: Minor corrections and wording changes.

I'm a German monk and I seem to remember I heard his name before, but didn't recognize him when I commented.

This guy seems to be very sarcastic and provocative, he also admits posting wrong stories in his blog to test the "media competence" of his audience.

While I admit such personalities are useful in niches like open source and IT security, I'm not sure I want to meet them in real life¹.

Anyway his comment was only limited to three phrases:

Der Perl-Talk war großartig. Wer den verpasst hat, und mit Perl zu tun hat, sollte sich den dringend angucken. Popcorn bereithalten! :-)

The Perl-talk was great. Those who missed it and have to deal with Perl, should urgently watch it. Keep your popcorn ready! :-)

I haven't seen the video yet, but I have to admit that meditating about fat comma was worth talking about it.

• I'm not sure which backwards compatibility would break if => would force scalar context on the RHS. Till now I can only imagine cases of syntactic sugar broken.

  After all that's the behavior most people seem to expect, list flattening like @c=(@a,@b) can still be done with a simple comma.

• Furthermore I'm not sure why HTTP responses aren't easily sanitized, such that fields which are not expected to hold multiple values are blocked/filtered before any further processing takes place.

  For instance: Why should I even handle requests with multiple real_name ?

Also worth noting that Sheldon (aka Python) has DWIM mechnanisms, when returning multiple values.

>>> def func(): return 1
... 
>>> func()
1
>>> def func(): return 1,2
... 
>>> func()
(1, 2)
>>> def func(): return (1)
... 
>>> func()
1
>>> def func(): return (1,)
... 
>>> func()
(1,)
[download]

As you can see one element is "scalar", more are tuples and it's not that intuitive how to return a one element tuple.

Cheers Rolf

_{(addicted to the Perl Programming Language and ☆☆☆☆ :)}

¹) For instance: I have friends who organized conferences with Richard Stallman and never want to meet him in real life again. This doesn't diminish his importance.

The Perl-talk was great. Those who missed it and have to deal with Perl, should urgently watch it. Keep your popcorn ready! :-)

In an earlier announcement he writes: "Um 22:00 verspricht der Perl-Vortrag hochkarätig zu werden." (At 22:00 the Perl lecture promises to be top-class.) Being an influential guy and to some extent spokesman for the CCC (although he dismisses that, his label is associated with the CCC) I judge that as intolerable.

I haven't seen the video yet, but I have to admit that meditating about fat comma was worth talking about it.

Your meditations are valid, but building an edge case for "fat comma" as it is, breaks orthogonality. Array context is array context, and that applies to %hash as LHS value.

perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'

Agreed: the presentatation was quite insolent, but not without merit. There was food for thought. Slides with code and camel mugshots on the left, video inset of Netanel wearing a camel scarf on the right. Charming. :D

Fat comma just implies a mapping relationship, and one-to-many is a possibility in the abstract sense. The problem is not limited to fat comma either. Consider: @k = qw(foo bar baz); @v = (1,bar(),3); %m = zip @k, @v;

Power/flexibility is a double-edged sword. No news here. I do wonder though — what if the CGI method had been named params all along? Would that have resulted in fewer thinkos?

As an American monk, we have a term that describes Leitner: "muck raker". And, at least as a Marine, we have an even better term: "slime".

I'm not sure which backwards compatibility would break if => would force scalar context on the RHS.

Try Moose attribute initializers, especially if you use grouping parentheses.

Furthermore I'm not sure why HTTP responses aren't easily sanitized, such that fields which are not expected to hold multiple values are blocked/filtered before any further processing takes place.

For instance: Why should I even handle requests with multiple real_name ?

Hmm... odd thoughts

German monks please correct me if I'm way off here

You're not only not wide off, but dead on here (and not only here btw).

perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'

Who is Fefe and why his opinion is so important?

After reading some entries he seems to be one of these talkative (read "cool") security guys with a Messiah complex.

The signature of his blog says

Proudly made without PHP, Java, Perl, MySQL and Postgres

So don't expect an unbiased or even scientific opinion.

Cheers Rolf

_{(addicted to the Perl Programming Language and ☆☆☆☆ :)}

PS: had to google his blog, the link was broken, maybe due to proud technology.

Thanks Rolf, I suspected something similar.

"Who is Fefe and why his opinion is so important?"

Please see:

• Felix von Leitner
• fefe on FAZ
• fefe on Heise

...because he writes in some influential german newspapers and magazines.

Best regards, Karl

«The Crux of the Biscuit is the Apostrophe»

Thanks Karl, I learned his name.

And, more sadness, Fefe called it brilliant.

A strong response from the perl community

... (or may be ironic)

He would have made that point and written "the talk, not the content".

And his hint at popcorn shows that he expects...

I read that rather as "Captain Obvious gives perl what it deserves."

perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'

A strong response from the perl community is due IMHO.

So why not hope for a talk about the newly released Perl 6 then? Would that not be a cool response? (if only I could believe in it :-)

Let's hope Larry's talk at FOSDEM will be better publicity for Perl...

Large parts of this talk are polemic shit but it mentions 2 or 3 issues which should be addressed in perl5, either by new features or better documentation.

IMHO waiting for a year to rectify things or for perl6 to be the "cavalry" is not the right strategy.

Update

This video is going to be linked and cited at many places as "proof" that Perl is dead.

Cheers Rolf

_{(addicted to the Perl Programming Language and ☆☆☆☆ :)}

PS These issues are addressed in Perl 6, AFAIK.